I have a problem where I need to limit outbound calls from a central site 3640 to a branch ISDN network of 160 or so Cisco 800 routers, but still maintain inbound calls. The only applications that should initiate outbound connections are the apps the helpdesk use - netmeeting, telnet, tftp and also icmp for pings and traces. I set the following extended access-list to allow this traffic and applied it to the dialer-list:

access-list 101 permit tcp any any eq 1720

access-list 101 permit tcp any any eq 1503

access-list 101 permit tcp any any eq 23

access-list 101 permit udp any any eq 69

access-list 101 permit icmp any any

This all works fine for outbound calls, but of course now inbound calls get disconnected after 30 secs (the dialer idle-timeout value) which is causing problems. In an ideal world I would like to be able to set the dialer idle-timeout to only apply to outbound traffic, then all my problems would be solved - but of course the command can only be configured to inbound only, or bi-directional (default) - which is pretty bizarre. I hope Cisco would consider adding outbound only interesting traffic as a feature...

If I configure:

access-list 101 permit tcp 10.1.1.0 0.0.0.255 any est

to allow established inbound call packets back out as interesting traffic, I get a load of outbound calls made, which defeats the object of using the acl in the first place.

I think that if rather than permitting established tcp packets, I add all the outbound ports that all the applications at the branches use, i.e. (for their notes replication)

access-list 101 permit tcp any 10.1.1.0 0.0.0.255 eq 1347

that may solve the problem. Has anyone else had similar experiences with such a scenario? Am I barking up the right tree here?

Any help much appreciated

TIA

Kev