Many thanks Jon

Let me explain further.

I implement site-to-site VPN that working just fine.When I configure ip inspect command on router for doing a firewall on ISR router then I can't use site-to-site VPN anymore.

List of commands that I added on ISR router.

: ip inspect name myfirewall https

: ip inspect name myfirewall http

: ip inspect name myfirewall isakmp

: ip inspect name myfirewall ipsec-msft

Still can't work. what is command that I need to add?

Hi

When you are using inspect what does your access-list that you use allow. You will need to allow the ports and protocols in that access-list before you add a deny any any.

Does this make sense ?.

If not could you post your router config minus any sensitive information.

Jon

sidenote:

i dont think ASA's support AH, but that seems irrelevant to this thread.

Hi john

Many thanks for your help. Now I achieve this goal. look like this

For ip inspect :

ip inspect name GotoInternet http

ip inspect name GotoInternet https

To deny all traffics from untrust zone and allow necessary port for site-to-site VPN

ip access-list extended DenyAnyTraffic

permit udp host x.x.x.x any eq isakmp

permit udp host x.x.x.x any eq non500-isakmp

permit udp host x.x.x.x eq isakmp any

permit esp host x.x.x.x any

deny ip any any

I have already created crypto map then apply parameters to interface

interface Serial0/1/1

bandwidth 512

ip address y.y.y.y 255.255.255.252

ip access-group DenyAnyTraffic in

ip nat outside

ip inspect GotoInternet out

ip virtual-reassembly

crypto map XXX

!

Jon, you would deserve a rating ;-)

L.Thot