02-06-2012 11:01 PM - edited 03-04-2019 03:10 PM
Hi,
I have a Cisco 800 series
I need to allow access to our local server from a specific range of external ip addresses.
I was wondering what is the best way to go about this?
I can open port for all external ip using this command:
ip nat inside source static tcp <localserverip> <port> interface <interface> <port
But this is not secure as is..
Do I then restrict and permit access using access-list? Or is there another way altogether?
I've tried searching for this but could not find a clear answer
Can anyone point me in the right direction?
Many Thanks
02-06-2012 11:07 PM
Hi,
NAT here is primarily for routing I guess to make your server to be visible from internet.
I would say Extended ACL on WANt interface whould be enough to allow access to server on particular port from a remote subnet or particular ip addresses.
Nik
02-09-2012 05:14 PM
Hi Nikolay, thanks for your reply.
My understanding is that I should follow these steps:
Open the port using NAT:
ip nat inside source static tcp
Then apply Extended Access Lists:
access-list 101 permit tcp
int
access-group 101 in
Does this sound okay?
02-07-2012 01:57 AM
Hi Myron,
There's a debate among networkers whether NAT is insecure or not. But if you feel the need to add ACL and know which subnet to permit or deny, then probably do both.
Based from my personal experience, I just do port forwarding and I haven't encountered any security issue so far (at least not that I know of).
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide