Open port to specific external ip

Unanswered Question
Feb 6th, 2012
User Badges:


I have a Cisco 800 series

I need to allow access to our local server from a specific range of  external ip addresses.

I was wondering what is the best way to go about this?

I can open port for all external ip using this command:

ip nat inside source static tcp <localserverip> <port> interface <interface> <port

But this is not secure as is..

Do I then restrict and permit access using access-list? Or is there another way altogether?

I've tried searching for this but could not find a clear answer

Can anyone point me in the right direction?

Many Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nkarpysh Mon, 02/06/2012 - 23:07
User Badges:
  • Cisco Employee,


NAT here is primarily for routing I guess to make your server to be visible from internet.

I would say Extended ACL on WANt interface whould be enough to allow access to server on particular port from a remote subnet or particular ip addresses.


myron_gaines Thu, 02/09/2012 - 17:14
User Badges:

Hi Nikolay, thanks for your reply.

My understanding is that I should follow these steps:

Open the port using NAT:

ip nat inside source static tcp interface

Then apply Extended Access Lists:

access-list 101 permit tcp eq


access-group 101 in

Does this sound okay?

johnlloyd_13 Tue, 02/07/2012 - 01:57
User Badges:
  • Blue, 1500 points or more

Hi Myron,

There's a debate among networkers whether NAT is insecure or not. But if you feel the need to add ACL and know which subnet to permit or deny, then probably do both.

Based from my personal experience, I just do port forwarding and I haven't encountered any security issue so far (at least not that I know of).

Sent from Cisco Technical Support iPhone App


This Discussion

Related Content