Without further specification I would configure it the folling way:
ip access-list extended OUTSIDE-IN
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 100.64.0.0 0.63.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
!
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
ip inspect name FW dns
!
interface fastEthernet 0/0
description external interface
ip inspect FW out
ip access-group OUTSIDE-IN in
What does it do:
You enable the stateful inspection in the outbound direction (Adv.Security IOS needed). Traffic initiated from the internal network(s) and the router is inspected to allow the return-traffic.
The incoming ACL on the outside interface is effectively a "deny ip any any". The explicit denys in OUTSIDE-IN are a spoofing-protection which is not really needed if you don't have incoming connections. But it serves for statistics and protection if you later allow connections from the internet into your network. The networks in the ACL are defined in different RFCs to be not allowed on the internet as a source.
The setup can be extended with more inspects for other protocols that use multiple channels. In the example only FTP will work.
If you want you can additionally put an ACL incoming on the inside interface to limit the traffic that your users are allowed to send to the internet.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
