https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754081#M1003786 <HTML><HEAD></HEAD><BODY><P>Hi john</P><P> Many thanks for your help. Now I achieve this goal. look like this </P><P></P><P>For ip inspect :</P><P>ip inspect name GotoInternet http</P><P>ip inspect name GotoInternet https</P><P></P><P>To deny all traffics from untrust zone and allow necessary port for site-to-site VPN</P><P>ip access-list extended DenyAnyTraffic</P><P> permit udp host x.x.x.x any eq isakmp</P><P> permit udp host x.x.x.x any eq non500-isakmp</P><P> permit udp host x.x.x.x eq isakmp any</P><P> permit esp host x.x.x.x any</P><P> deny ip any any</P><P></P><P>I have already created crypto map then apply parameters to interface</P><P>interface Serial0/1/1</P><P> bandwidth 512</P><P> ip address y.y.y.y 255.255.255.252</P><P> ip access-group DenyAnyTraffic in</P><P> ip nat outside</P><P> ip inspect GotoInternet out</P><P> ip virtual-reassembly</P><P> crypto map XXX</P><P>!</P><P></P><P>Jon, you would deserve a rating <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>L.Thot</P></BODY></HTML> Sun, 10 Jun 2007 07:32:30 GMT Thotsaphon Lueangwattanaphong 2007-06-10T07:32:30Z https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754076#M1003781 <P>I was implementing site-to-site VPN on the ISR router(SecurityIOS) and the ASA 5510 firewall.</P><P>what are protocol that I need to inspect on ISR router?</P><P>please advices or point me to useful links.</P><P></P><P>Thanks in advance</P> Mon, 11 Mar 2019 10:25:24 GMT https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754076#M1003781 Thotsaphon Lueangwattanaphong 2019-03-11T10:25:24Z https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754077#M1003782 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Not entirely sure what you mean. If you mean which protocols do you need to allow for IPSEC to work </P><P></P><P>UDP port 500 </P><P>ESP port 50 </P><P>AH port 51 ( optional as authentication is usually done with ESP). </P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Wed, 06 Jun 2007 07:12:02 GMT https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754077#M1003782 Jon Marshall 2007-06-06T07:12:02Z https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754078#M1003783 <HTML><HEAD></HEAD><BODY><P>Many thanks Jon</P><P>Let me explain further. </P><P>I implement site-to-site VPN that working just fine.When I configure ip inspect command on router for doing a firewall on ISR router then I can't use site-to-site VPN anymore.</P><P>List of commands that I added on ISR router.</P><P>: ip inspect name myfirewall https</P><P>: ip inspect name myfirewall http</P><P>: ip inspect name myfirewall isakmp</P><P>: ip inspect name myfirewall ipsec-msft</P><P></P><P>Still can't work. what is command that I need to add?</P><P></P></BODY></HTML> Wed, 06 Jun 2007 08:39:06 GMT https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754078#M1003783 Thotsaphon Lueangwattanaphong 2007-06-06T08:39:06Z https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754079#M1003784 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>When you are using inspect what does your access-list that you use allow. You will need to allow the ports and protocols in that access-list before you add a deny any any.</P><P></P><P>Does this make sense ?. </P><P></P><P>If not could you post your router config minus any sensitive information. </P><P></P><P>Jon</P></BODY></HTML> Wed, 06 Jun 2007 08:44:35 GMT https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754079#M1003784 Jon Marshall 2007-06-06T08:44:35Z https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754080#M1003785 <HTML><HEAD></HEAD><BODY><P>sidenote:</P><P>i dont think ASA's support AH, but that seems irrelevant to this thread.</P></BODY></HTML> Wed, 06 Jun 2007 12:45:42 GMT https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754080#M1003785 srue 2007-06-06T12:45:42Z https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754081#M1003786 <HTML><HEAD></HEAD><BODY><P>Hi john</P><P> Many thanks for your help. Now I achieve this goal. look like this </P><P></P><P>For ip inspect :</P><P>ip inspect name GotoInternet http</P><P>ip inspect name GotoInternet https</P><P></P><P>To deny all traffics from untrust zone and allow necessary port for site-to-site VPN</P><P>ip access-list extended DenyAnyTraffic</P><P> permit udp host x.x.x.x any eq isakmp</P><P> permit udp host x.x.x.x any eq non500-isakmp</P><P> permit udp host x.x.x.x eq isakmp any</P><P> permit esp host x.x.x.x any</P><P> deny ip any any</P><P></P><P>I have already created crypto map then apply parameters to interface</P><P>interface Serial0/1/1</P><P> bandwidth 512</P><P> ip address y.y.y.y 255.255.255.252</P><P> ip access-group DenyAnyTraffic in</P><P> ip nat outside</P><P> ip inspect GotoInternet out</P><P> ip virtual-reassembly</P><P> crypto map XXX</P><P>!</P><P></P><P>Jon, you would deserve a rating <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>L.Thot</P></BODY></HTML> Sun, 10 Jun 2007 07:32:30 GMT https://community.cisco.com/t5/network-security/how-do-i-inspect-when-i-use-site-tosite-vpn/m-p/754081#M1003786 Thotsaphon Lueangwattanaphong 2007-06-10T07:32:30Z