Returning traffic through ISR's

Unanswered Question
Mar 29th, 2007

I work in healthcare and our rules on access through our WAN/Internet connections are quite strict. We do however have one issue i've not been able to work around.

We are using Cisco ISR's (this example a 2851) all with enabled firewall and IPS.

for outbound traffic, I can create a rule on the access list and traffic is permitted out, and the return traffic is permitted inbound.

However if i create a rule for inbound traffic, the ISR is not creating the dynmaic rule for the return traffic, and i'm having to manually a matching outbound for every inbound connection. Is there any way around this other than having permit ip any any as the last rule, which i'm not permitted to do.

Any help much appreciated



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
David White Thu, 03/29/2007 - 08:40

Hi Spencer,

We need a little more information to assist here. IOS FW on ISRs can use either the historical inspect statements where you apply the inspect to an interface, or the new zone-based FW.

If you are applying the inspection to an interface, for inbound traffic, you would need to inspect inbound on the outside interface. For outbound traffic you would inspect outbound on that same interface.

This provides you with DoS protection for the inbound traffic, as well as opening up the ACLs to allow the reply traffic (from the inbound connections - assuming you have an ACL applied to your inside interface).

Hope it helps,



This Discussion