Hi Jennifer,

access-list 121 is for inbound access (from internet)

- access-group 121 in

inspect rule is applied on the same interface outbound

-ip inspect myfw out

OK, so you would like access initiated from the Internet towards your hosts/servers on all those ports listed in access-list 121?

correct Jennifer access to those servers from acl 121 + alow all access from inside lan to the internet (with cbac)

ok thanks for confirming.

In that case, they all look good to me.

Thank you Jennifer for confirming,

I have also another question about my second wan interface, I have 2 isp, wan2 is my vpn connection to branch office and  wan1 is my internet access (with cbac on it - that is sorted now), now after wan1 is sorted I want also some sort of security on my vpn connection, what would be the best way to secure that connection, can I just apply

something like that on both sides ?

access-list 122 permit ip LAN1 LAN2

Would it be the best way of securing the router (interfaces) with the firewall?  What can be done to secure it,

CBAC is one way to secure it, or you can also use ZBFW (Zone Base FW).

Thank you Jennifer for all the answers, as regards to my firewall on vpn link (only acl) is that enough security?

Yes, that would be good enough as only IPSec VPN is allowed, and no other protocols.