I would be against router-only solutions because I don't believe they maintain state. I only say this since we use both inbound and outbound ACLs, which require me to write two rules.

For instance: (syntax could be slightly off)
permit tcp host a.b.c.d w.x.y.z eq 80 (inbound)
permit tcp host w.x.y.z eq 80 a.b.c.d established (outbound)

(inbound/outbound in relation to the routers perspective)

If it was maintaining state, I wouldn't imagine that I would need the established rule since a state touble would know that I had initially initiated a request to the w.x.y.z address.

Please don't hold me to that just yet, but I plan on trying to spoof a packet through one our routers next week to see if it show up in our firewall logs.

B-Man