Open port to specific external ip

myron_gaines · ‎02-06-2012

Hi,

I have a Cisco 800 series

I need to allow access to our local server from a specific range of external ip addresses.

I was wondering what is the best way to go about this?

I can open port for all external ip using this command:

ip nat inside source static tcp <localserverip> <port> interface <interface> <port

But this is not secure as is..

Do I then restrict and permit access using access-list? Or is there another way altogether?

I've tried searching for this but could not find a clear answer

Can anyone point me in the right direction?

Many Thanks

nkarpysh · ‎02-06-2012

Hi,

NAT here is primarily for routing I guess to make your server to be visible from internet.

I would say Extended ACL on WANt interface whould be enough to allow access to server on particular port from a remote subnet or particular ip addresses.

Nik

HTH,
Niko

myron_gaines · ‎02-09-2012

Hi Nikolay, thanks for your reply.

My understanding is that I should follow these steps:

Open the port using NAT:

ip nat inside source static tcp interface

Then apply Extended Access Lists:

access-list 101 permit tcp eq

int

access-group 101 in

Does this sound okay?

johnlloyd_13 · ‎02-07-2012

Hi Myron,

There's a debate among networkers whether NAT is insecure or not. But if you feel the need to add ACL and know which subnet to permit or deny, then probably do both.

Based from my personal experience, I just do port forwarding and I haven't encountered any security issue so far (at least not that I know of).

Sent from Cisco Technical Support iPhone App