Well i like the fact that you still only have one access point, the firewall. You don't have to worry about the upstream router having a correct access-list. (deny anything, but ipsec traffic to and from the vpn). I can see where this goes totaly against K.I.S.S. but i still really like it. thanks for the link btw. --- Ben Nagy <[EMAIL PROTECTED]> wrote: > G'day, > > I don't like the solution that loops the VPN traffic > through the > firewall twice. I can't see any real security gain, > and there is a big > complexity loss. If you were to use NAT, as bob > suggested, then it's > even worse, because you have all the VPN / NAT > issues. Yes, the Cisco > concentrators can use NAT-transparent mode, but > that's an extra > encapsulation, and should only be used when > necessary.
__________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls