This is our company’s internet gateway router. This is what I want to accomplish on our Cisco 2691 router:
- All employees need to be able to have unrestricted access to the internet (I’ve blocked facebook with an ACL, but other than that, full access)
- There is an internal webserver that should be accessible from any internal IP address, but only a select few external IP addresses. Basically, I want to whitelist access from outside the network.
- I don’t have a hardware firewall appliance.
Until now, the webserver has not needed to be accessible externally… or in any case, the occasional VPN has sufficed when needed. As such, the following config has been sufficient:
access-list 106 deny ip 66.220.144.0 0.0.7.255 any
access-list 106 deny ip ... (so on for the Facebook blocking)
access-list 106 permit ip any any
!
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.248
ip access-group 106 in
ip nat outside
fa0/0 is the interface with the public IP
However, when I add…
ip nat inside source static tcp 192.168.0.52 80 x.x.x.x 80 extendable
…in order to forward web traffic to the webserver, that just opens it up entirely. That much makes sense to me. This is where I get stumped though. If I add a line to the ACL to explicitly permit (whitelist) an IP range… something like this:
access-list 106 permit tcp x.x.x.x 0.0.255.255 192.168.0.52 0.0.0.0 eq 80
… how do I then block other external access to the webserver while still maintaining unrestricted internet access for internal employees?
I tried removing the access-list 106 permit ip any any. That ended up being a very short-lived config 
Would something like access-list 106 permit ip 192.168.0.0 0.0.0.255 any on an “outside-inbound” work?
I would think your outside access list should reference the global inside address (x.x.x.x) for 192.168.0.52 based on the NAT order of operations guide (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml)
So the below configuration blocks facebook, allows TCP from allowed subnet y.y.y.y to hit x.x.x.x, denies everything else destined for port 80 of x.x.x.x, then allows everything else.
access-list 106 deny ip 66.220.144.0 0.0.7.255 any
access-list 106 deny ip ... (so on for the Facebook blocking)
!Where y.y.y.y equals an 'allowed' subnet to hit the webserver, and x.x.x.x equals your outside IP address
access-list 106 permit tcp y.y.y.y 0.0.255.255 host x.x.x.x eq 80
access-list 106 deny tcp any x.x.x.x eq 80
access-list 106 permit ip any any
!
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.248
ip access-group 106 in
ip nat outside
Check more discussion of this question.
