ip inspect


Need your help with ip inspect ...
Here is my minilab config and it makes sense:

R3#sh access-lists
Extended IP access list R3O
permit tcp host eq telnet host eq 11001 (6 matches)
10 permit tcp any any eq bgp (31 matches)
20 permit tcp any eq bgp any (370 matches)
30 permit eigrp any any (2223 matches)
40 permit icmp any any (35 matches)
1000 deny ip any any log (53 matches)
R3#sh ip inspect sessions
Established Sessions
Session 83E81F2C (>( tcp SIS_OPEN
interface FastEthernet0/0
ip address
ip access-group R3O out
ip inspect TL in
duplex auto
speed auto

Cisco website ... I don't understand:


The following example applies a set of inspection rules named "outboundrules" to an external interface's outbound traffic. This causes inbound IP traffic to be permitted only if the traffic is part of an existing session, and to be denied if the traffic is not part of an existing session.

interface serial0

ip inspect MY-INSPECT_RULE out



  • i comprehend that mean is that if you apply the inspect direction was out,then this router will "inspect" all of outbound connection and record.for the connection which was recorded,router would creat a permit clause which reverse the recorded source and destination addresses and ports.the clause would apply in top of inbound ACLs.as a result,all of the return traffic will be permitted.
Sign In or Register to comment.