Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Open port to specific external ip

Hi,

I have a Cisco 800 series

I need to allow access to our local server from a specific range of  external ip addresses.

I was wondering what is the best way to go about this?

I can open port for all external ip using this command:

ip nat inside source static tcp <localserverip> <port> interface <interface> <port

But this is not secure as is..

Do I then restrict and permit access using access-list? Or is there another way altogether?

I've tried searching for this but could not find a clear answer

Can anyone point me in the right direction?

Many Thanks

Everyone's tags (5)
3 REPLIES
Cisco Employee

Open port to specific external ip

Hi,

NAT here is primarily for routing I guess to make your server to be visible from internet.

I would say Extended ACL on WANt interface whould be enough to allow access to server on particular port from a remote subnet or particular ip addresses.

Nik

New Member

Re: Open port to specific external ip

Hi Nikolay, thanks for your reply.

My understanding is that I should follow these steps:

Open the port using NAT:

ip nat inside source static tcp interface

Then apply Extended Access Lists:

access-list 101 permit tcp eq

int

access-group 101 in

Does this sound okay?

Re: Open port to specific external ip

Hi Myron,

There's a debate among networkers whether NAT is insecure or not. But if you feel the need to add ACL and know which subnet to permit or deny, then probably do both.

Based from my personal experience, I just do port forwarding and I haven't encountered any security issue so far (at least not that I know of).

Sent from Cisco Technical Support iPhone App

2489
Views
0
Helpful
3
Replies
CreatePlease to create content