Hi all, Stateful NAT failover is described here: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801fce09.html If you have a setup like the one shown in Figure 1, things will fall down if the routers in question are running the IOS firewall feature set. The dynamic ACL entries added by CBAC on the "Primary NAT" router will not have been replicated to the "Backup NAT" router, and the return traffic will be dropped (even though a NAT translation exists for it). Is there anything like stateful CBAC failover, in a similar vein to the above? Or some other way to synchronize dynamic ACL entries between two IOS Firewall routers? thanks a lot, alec --