class-map type inspect match-all self>INET
match access-group name self-OUT
class-map type inspect match-all INET>self
match access-group name self-IN
class-map type inspect match-all LAN>INET
match access-group name LAN>inet
policy-map type inspect INET>self
class type inspect INET>self
inspect
class class-default
drop log
policy-map type inspect self>INET
class type inspect self>INET
inspect
class class-default
drop log
policy-map type inspect LAN>INET
class type inspect LAN>INET
inspect
class class-default
drop log
zone security INET
zone security LAN
zone-pair security LAN>INET source LAN destination INET
service-policy type inspect LAN>INET
zone-pair security self>INET source self destination INET
service-policy type inspect self>INET
zone-pair security INET>self source INET destination self
service-policy type inspect INET>self
#Allow SSH
ip nat inside source static tcp INSIDE-IP 22 interface GigabitEthernet0/0 22
ip access-list extended LAN>inet
permit ip any any
ip access-list extended self-IN
permit udp any eq bootps any eq bootpc
permit udp any any eq 443
permit udp any eq 1195 any eq 1195
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any port-unreachable
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit gre any any
deny ip any any
ip access-list extended self-OUT
permit udp any eq bootpc any eq bootps
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any port-unreachable
permit udp any eq bootps any
permit udp any eq bootpc any
permit esp any any
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
permit gre any any
deny ip any any