Neither. The MAX will just forward the packet untouched to the IP address you say. This means that both the MAX and the target MUST be in the same physical net. What you described is IP-in-IP, which is a different option. I believe you may need a hash code for ip-in-ip though. -J >From: "Ben-David, Joe" <Joe.Ben-David at eurekaggn.com> > > All, > If you recall, the IP-Direct feature in the MAX access server >overrides the routing table in the MAX, forcing the dial-in users' traffic >to be routed to a specific IP address regardless of the destination address >of his IP traffic. There is a parameter in a connection profile and in >RADIUS which specifies this target address. In the implementation of this >feature, is the IP-Direct target address pre-pended to the packet, >preserving the actual destination address? Or does the IP-Direct function >replace the actual destination address in the user traffic with the >IP-Direct address? > > A customer to whom we have proposed an Internet T1, a firewall, and > > some 60 dial-in ISP Internet accounts wishes to restrict to business use > > only the Internet access accounts provided to his employees. He only >wants > > them to be able only to access his site via their Internet dial-in > > accounts with us, and to go back out to the Internet through his >firewall. > > The IP-Direct address in his case would be the public IP address of a > > firewall on his LAN. Once the firewall receives the traffic, will it >strip > > off the pre-pended IP-Direct IP address and read the original >destination > > address of the packet for access list referral and go/no-go forwarding? > > > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request at bungi.com Archives: http://www.nexial.com/mailinglists/