Are you using the ZBF functionality on the 4331? If yes, then you'd want an outside-in ACL that allows any inbound traffic that isn't already return traffic from inspection. If you are not using ZBF then it us up to you if you want to use an ACL, but it is not manditory. It would depend if you want to deny certain protocols inbound. See below for an example to block inbound telnet except from one IP.
ip access-list extended outside-in
permit tcp host 1.1.1.1 any eq 23
deny tcp any any eq 23
permit ip any any
interface g0/0/1
ip access-group outside-in in