I have an 1841 router on which I wish to run the IOS firewall. This device has a public internet connection via a VRF and I wish to put zone based firewalling in place between this and a public dmz on the same device. My problem is that I cannot seem to allow ESP/AH pass through in the firewall rules. We have other firewalls in the DMZ that terminate VPN tunnels. I have tried to create a class mapp with the match protocol ipsec statement but as soon as I put the inspect in the class map it wont allow IPSEC. Is there a special way to do this?