Hi.

I want the inside of my network to be allowed to do anything and the firewall to open up ports reflexive when the traffic goes out.

If i want to use ssh to an external IP address i have to put in the following:

ip access-list extended STANDARD_IN_PERMIT

permit tcp any eq 22 any

Without this it wont work, below is a part of my running config

class-map type inspect match-any STANDARD
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
match protocol ssh

ip access-list extended STANDARD_IN_PERMIT
permit tcp any host 192.168.98.63 eq www
permit tcp any host 192.168.98.63 eq 443
permit tcp any host 192.168.98.53 eq www
permit tcp any host 192.168.98.53 eq 666
permit tcp any host 192.168.98.52 eq 22
permit tcp any host 192.168.98.52 eq smtp
permit tcp any host 192.168.98.52 eq www
permit tcp any host 192.168.98.52 eq 143
permit tcp any host 192.168.98.52 eq 10000
permit tcp any host 192.168.98.52 eq 20000
permit tcp any host 192.168.98.61 eq 22
permit tcp any host 192.168.98.61 eq www
permit tcp any host 192.168.98.61 eq domain
permit tcp any host 192.168.98.61 eq 10000
permit tcp any host 192.168.98.2 eq 443
permit tcp any host 192.168.98.2 eq 987
permit tcp any host 192.168.98.2 eq smtp
permit tcp any host 192.168.98.50 eq 9101
permit tcp any host 192.168.98.50 eq 9102
permit tcp any host 192.168.98.50 eq 9103
permit tcp any host 10.10.20.10 eq 443
permit tcp any host 10.10.20.10 eq 587
permit tcp any host 10.10.20.10 eq smtp
permit udp any host 10.10.20.10 eq 443
permit udp any host 10.10.20.10 eq 25
permit tcp any host 192.168.98.146 eq 873
permit tcp any host 192.168.98.210 eq 587
permit tcp any host 192.168.98.210 eq smtp
permit tcp any host 192.168.98.210 eq www

ip access-list extended STANDARD_OUT_PERMIT
permit ip any any

policy-map type inspect STANDARD
class type inspect STANDARD
inspect
class type inspect STANDARD_OUT_PERMIT
pass
class class-default
drop

policy-map type inspect STANDARD_IN
class type inspect STANDARD_IN_PERMIT
pass
class class-default
drop

zone security WAN_ZONE
zone security VLAN1_ZONE

zone-pair security WAN_TO_VLAN1 source WAN_ZONE destination VLAN1_ZONE
service-policy type inspect STANDARD_IN
zone-pair security VLAN1_TO_WAN source VLAN1_ZONE destination WAN_ZONE
service-policy type inspect STANDARD