Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Configuring :NAT/PAT and IP inspect


We have configured 1800 ISR to access internet using and NAT ( actually PAT ) and overload feature.

SImple mode fa0/0 is inside interface and fa0/1 is outside interface.

We need to apply ip inspect and enable IOS firewall as a security feature.

How do we apply IP inspect rules for the traffic that is being NATed or we need just to apply it.

Please share experience of configuring ip inspection with NAT/PAT.

any configuration link on

Thanks in advance.


Community Member

Re: Configuring :NAT/PAT and IP inspect

The IP inspect uses CBAC which works the same way as SPI function on a regular firewall. There are 3 steps.

1. configure NAT/PAT (which you have done)

2. Allow the required traffic outbound (ACL)

3. Create the IP inspect rules and apply them to the interface. The IP inspect rules should contain the traffic that should be permitted back in (replies to outbound requests) even though the ACL denies

** Creating INSPECT ***

ip inspect name MYTRAFFIC ftp

ip inspect name MYTRAFFIC http

ip inspect name MYTRAFFIC https

** Applying to interface **

On the interface you wish to permit the traffic

ip inspect MYTRAFFIC out

CreatePlease to create content