I'm setting up a Cisco 891 that I want to be a home router.

The short story is: I'm trying to do config archiving to an SCP server connected on the WAN interface, and it doesn't work with an inbound ACL on the WAN interface despite it being an outbound operation. I hope I'm not missing something simple.

This is a demonstration of the problem:

cisco-891#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
cisco-891(config)#int f8
cisco-891(config-if)#ip access-group INBOUND in
cisco-891(config-if)#end
cisco-891#wr
Building configuration...

.Jul 15 19:08:40.587: %SYS-5-CONFIG_I: Configured from console by console[OK]
Writing configs/cisco-891--Jul-15-19-08-43.211-2 % Connection timed out; remote host not responding

cisco-891#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
cisco-891(config)#int f8
cisco-891(config-if)#no ip access-group INBOUND in
cisco-891(config-if)#end
cisco-891#wr
Building configuration...

.Jul 15 19:09:53.742: %SYS-5-CONFIG_I: Configured from console by console[OK]
Writing configs/cisco-891--Jul-15-19-09-56.346-2  Sink: C0644 4211 cisco-891--Jul-15-19-09-56.346-2
! <--- This means successful

So why is an inbound ACL preventing an outbound operation?

Here is more info:

cisco-891#show access-lists INBOUND
Extended IP access list INBOUND
    10 permit udp 192.168.xxx.0 0.0.0.255 any eq bootpc
    20 permit tcp 192.168.xxx.0 0.0.0.255 any eq 22
    30 permit udp 192.168.xxx.0 0.0.0.255 any eq snmp (8 matches)
    40 permit ospf 192.168.xxx.0 0.0.0.255 any (175 matches)
    60 permit gre 192.168.xxx.0 0.0.0.255 any (28 matches)
    70 deny ip any any (271 matches)

archive
 path scp://user:password@192.168.xxx.xxx/configs/$h-$t
 write-memory
 time-period 10080

In this case 192.168.xxx.0 0.0.0.255 is the "WAN" while I test this inside my home network.The WAN interface has an address in this range and so does the SCP server (both are on the same /24).

I hope I haven't missed something simple...

Thanks.