On 28 Nov 2001, at 13:56, Kent Hundley wrote: > If users on Comcast could not connect to your 30xx series box, the > only way that they could have been blocking this traffic would have > been either blocking packets with your VPN box as the dst IP > (unlikely), or blocking some or all of the UDP port numbers in use. > Obviously, with the 5000 this would not be possible since they > wouldn't be able to block users from using port 80.
Agreed. Although it sounds like the 50xx "NAT transparency" was (mis)designed as "get around virtually all port-filter firewall policies" which can hardly be regarded as a security-friendly behaviour -- I will not be recommending such a box to anyone anytime soon unless they use an application-level proxy for outbound port 80 traffic. > NAT transparency _can_ solve the issue of an ISP blocking IPSec > traffic, but it depends on how the feature is implemented and to > what lengths your willing to go to work around your ISP. In the case in question, it is/was a violation of the ISP's AUP. On the one hand, one can argue that the AUP is so restrictive that you should never have purchased the service from the ISP since it doesn't meet your needs. On the other hand, a company that encouraged employees to violate ISP AUPs in the course of their work might find itself at the pointy end of a nasty lawsuit.... David Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
