class-map type inspect match-all self>INET

match access-group name self-OUT

class-map type inspect match-all INET>self

match access-group name self-IN

class-map type inspect match-all LAN>INET

match access-group name LAN>inet

policy-map type inspect INET>self

class type inspect INET>self

inspect

class class-default

drop log

policy-map type inspect self>INET

class type inspect self>INET

inspect

class class-default

drop log

policy-map type inspect LAN>INET

class type inspect LAN>INET

inspect

class class-default

drop log

zone security INET

zone security LAN

zone-pair security LAN>INET source LAN destination INET

service-policy type inspect LAN>INET

zone-pair security self>INET source self destination INET

service-policy type inspect self>INET

zone-pair security INET>self source INET destination self

service-policy type inspect INET>self

#Allow SSH

ip nat inside source static tcp INSIDE-IP 22 interface GigabitEthernet0/0 22

ip access-list extended LAN>inet

permit ip any any

ip access-list extended self-IN

permit udp any eq bootps any eq bootpc

permit udp any any eq 443

permit udp any eq 1195 any eq 1195

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any port-unreachable

permit esp any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit gre any any

deny ip any any

ip access-list extended self-OUT

permit udp any eq bootpc any eq bootps

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any port-unreachable

permit udp any eq bootps any

permit udp any eq bootpc any

permit esp any any

permit udp any eq isakmp any

permit udp any eq non500-isakmp any

permit gre any any

deny ip any any