Firewall is a kind of basic safe facility in Virtual Private Network. In any VPN scheme, the location of firewall must be considered conscientious.According to firewall's location, different network has different safe characteristic. Firewall should be put in front of or behind safe gateway ( VNP server), which is the focus of the argument. To share the enterprise's partial resources for outside world, firewall is different in department network. To let non-VPN user visit intranet, firewall is put behind VPN server.This paper discuss the firewall's location in fictitious special net.