I have a Cisco 800 series
I need to allow access to our local server from a specific range of external ip addresses.
I was wondering what is the best way to go about this?
I can open port for all external ip using this command:
ip nat inside source static tcp <localserverip> <port> interface <interface> <port
But this is not secure as is..
Do I then restrict and permit access using access-list? Or is there another way altogether?
I've tried searching for this but could not find a clear answer
Can anyone point me in the right direction?
NAT here is primarily for routing I guess to make your server to be visible from internet.
I would say Extended ACL on WANt interface whould be enough to allow access to server on particular port from a remote subnet or particular ip addresses.
Hi Nikolay, thanks for your reply.
My understanding is that I should follow these steps:
Open the port using NAT:
ip nat inside source static tcp
Then apply Extended Access Lists:
access-list 101 permit tcp
access-group 101 in
Does this sound okay?
There's a debate among networkers whether NAT is insecure or not. But if you feel the need to add ACL and know which subnet to permit or deny, then probably do both.
Based from my personal experience, I just do port forwarding and I haven't encountered any security issue so far (at least not that I know of).
Sent from Cisco Technical Support iPhone App