Follwoing is the summary configuration on ISR Cisco for IOS firewall
int fast 0/0
ip address A.B.C.D /30
ip inspect E_Mail_From_Outside in
ip access-group E_Mail_Server in
int fast 0/1
ip address 10.1.1.1 / 24
ip inspect USERS_HTTP_ONLY in
ip access-group HTTP_ONLY in
ip inspect name E_Mail_From_Outside tcp
ip inspect name USERS_HTTP_ONLY tcp
ip access-list extended E_Mail_Server
permit tcp any host P.Q.R.S eq 25
( allowes outside e-mail servers to send e-mails on P.Q.R.S on port 25 SMTP - P.Q.R.S is Static public address reachable on outside interface )
ip access-list extended HTTP_ONLY
permit tcp 10.1.1.0 / 24 any eq 80
(allows users 10.1.1.0 /24 to browse internet only on Port 80 ).
How in this case internal e-mail server internal e-mail server traffic will be handled. As we are not allowing any port except port 80 from inside to outside. Does it automatically / dynamically adds lines to access-list? ( similarly to how lines are added on the access list on the outside interface to allow responce packets which were initiated from inside zone).
Please share the experience.
Thanks in advance