I'm having a devil of a time trying to set up what ought to be an extremely simple inbound access list. All I want to do is allow inbound connections to a few web servers, while not having any kind of restrictions on outbound traffic.
My understanding is that I need to permit established traffic at the top of my list in order for client programs to get responses from outside servers. I put:
access-list 101 permit tcp any any established
But this doesn't work. With this control in place, I can't even browse an external web site. The only way I've been able to fix it is to allow everything:
access-list 101 permit ip any any
Of course this is not what I want, because it opens my whole network up to the internet.
Is there some special trick to this that I'm missing?