Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Returning traffic through ISR's

I work in healthcare and our rules on access through our WAN/Internet connections are quite strict. We do however have one issue i've not been able to work around.

We are using Cisco ISR's (this example a 2851) all with enabled firewall and IPS.

for outbound traffic, I can create a rule on the access list and traffic is permitted out, and the return traffic is permitted inbound.

However if i create a rule for inbound traffic, the ISR is not creating the dynmaic rule for the return traffic, and i'm having to manually a matching outbound for every inbound connection. Is there any way around this other than having permit ip any any as the last rule, which i'm not permitted to do.

Any help much appreciated



Cisco Employee

Re: Returning traffic through ISR's

Hi Spencer,

We need a little more information to assist here. IOS FW on ISRs can use either the historical inspect statements where you apply the inspect to an interface, or the new zone-based FW.

If you are applying the inspection to an interface, for inbound traffic, you would need to inspect inbound on the outside interface. For outbound traffic you would inspect outbound on that same interface.

This provides you with DoS protection for the inbound traffic, as well as opening up the ACLs to allow the reply traffic (from the inbound connections - assuming you have an ACL applied to your inside interface).

Hope it helps,


CreatePlease to create content