How to whitelist external access to an internal webserver via Cisco ACLs?
- by Josh
This is our company's internet gateway router. This is what I want to accomplish on our Cisco 2691 router:
All employees need to be able to have unrestricted access to the internet (I've blocked facebook with an ACL, but other than that, full access)
There is an internal webserver that should be accessible from any internal IP address, but only a select few external IP addresses. Basically, I want to whitelist access from outside the network.
I don't have a hardware firewall appliance.
Until now, the webserver has not needed to be accessible externally... or in any case, the occasional VPN has sufficed when needed. As such, the following config has been sufficient:
access-list 106 deny ip 66.220.144.0 0.0.7.255 any
access-list 106 deny ip ... (so on for the Facebook blocking)
access-list 106 permit ip any any
!
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.248
ip access-group 106 in
ip nat outside
fa0/0 is the interface with the public IP
However, when I add...
ip nat inside source static tcp 192.168.0.52 80 x.x.x.x 80 extendable
...in order to forward web traffic to the webserver, that just opens it up entirely. That much makes sense to me. This is where I get stumped though. If I add a line to the ACL to explicitly permit (whitelist) an IP range... something like this:
access-list 106 permit tcp x.x.x.x 0.0.255.255 192.168.0.52 0.0.0.0 eq 80
... how do I then block other external access to the webserver while still maintaining unrestricted internet access for internal employees?
I tried removing the access-list 106 permit ip any any. That ended up being a very short-lived config :)
Would something like access-list 106 permit ip 192.168.0.0 0.0.0.255 any on an "outside-inbound" work?