Cisco IP Inspect command explained

Posted on by

IP inspect helps a router act more like an ASA, so the goal is to only allow certain traffic inbound.

For example, lets consider an inbound access-list that is very restrictive or “deny ip any any”. Using this logic, the inside hosts can make requests to outside servers, but they don’t receive the responses. A TCP 3 way handshake can’t even happen. So what we can do is inspect traffic outbound. What that does is builds a state table in the router that allows the return traffic to bypass the inbound acl. The inspect actually does some protocol validation on the initial outbound traffic in this case. So a very simple configuration might look like the following.

ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp

//ftp is important to inspect because it can use a secondary port initiated from the outside

ip access-list extended INBOUND
deny ip any any

int fa0/0
description OUTSIDE
ip access-group INBOUND in
ip inpsect FWOUT out
ip address 1.1.1.1 255.255.255.0
ip nat outside

int fa0/1
description INSIDE
ip address 192.168.0.1 255.255.255.0
ip nat inside

Leave a Reply

Your email address will not be published. Required fields are marked *