Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ip inspect command

Can anyone explain the difference between the following commands

ip inspect name outbound http

ip inspect name outbound https

ip inspect name outbound dns

ip inspect name outbound icmp

compared to

ip inspect name outbound tcp

ip inspect name outbound udp

Wouldn't these two latter commands encompass the http, https, dns, icmp commands above?

New Member

Re: ip inspect command

yes the last two would include HTTP, HTTPS and DNS. As they are TCP (I DNS can sometimes be used with UDP also) ICMP is seperate so you would still need

ip inspect name outbound icmp

The reason that you might not want all TCP traffic is that you might have another device already providing an ip inspection. Or a packet could be dropped because IOS thinks it's "not quite right" when it's perfectly valid etc.


Re: ip inspect command

there is a big difference in functionality of those commands.

tcp/udp inspection simply maintains state for tcp/udp connections, whereas the more specific entries check for things specific to http/https/dns.

New Member

Re: ip inspect command

Thanks for your help

If I created inspect rules for DNS, HTTP etc, would those protocols not listed still be allowed through the firewall if the ACL allows it?

Re: ip inspect command

As SRUE said, with the layer-4 protocol specific entries in there the IOS router performs application inspection. If you just specify TCP/UDP then the router doesn't look deeper into the packets and certain protocols won't work - H.323 & SIP for example negotiate additional connections over the signalling channel to set up the RTP streams.