Quick question. I have a network with PIX firewalls in the field and a central office running a beefed-up Cisco router as the central endpoint. This was done to allow for VPN failover in the future. Everything is working wonderfully, but I am stuck with the access-lists. We have 3 static hosts sitting behind the central router taht need to be accessible to the internet for web, ftp, etc. If I put in the access-lists to allow this, what do I need to put in to keep allowing the IPSEC traffic? I was going to put jut a standard access-list on the s0 interface of the router, but think that I need an "access-list 101 permit ipsec any (inside-host)" type statement.