How to whitelist external access to an internal webserver via Cisco ACLs?

cisco router access-control-list ios whitelist

6,976

I would think your outside access list should reference the global inside address (x.x.x.x) for 192.168.0.52 based on the NAT order of operations guide (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml)

So the below configuration blocks facebook, allows TCP from allowed subnet y.y.y.y to hit x.x.x.x, denies everything else destined for port 80 of x.x.x.x, then allows everything else.

access-list 106 deny   ip 66.220.144.0 0.0.7.255 any
access-list 106 deny   ip ... (so on for the Facebook blocking)
!Where y.y.y.y equals an 'allowed' subnet to hit the webserver, and x.x.x.x equals your outside IP address
access-list 106 permit tcp y.y.y.y 0.0.255.255 host x.x.x.x eq 80
access-list 106 deny tcp any x.x.x.x eq 80
access-list 106 permit ip any any
!
interface FastEthernet0/0
 ip address x.x.x.x 255.255.255.248
 ip access-group 106 in
 ip nat outside

6,976

JoshP

Updated on September 18, 2022

Comments

JoshP over 1 year
This is our company's internet gateway router. This is what I want to accomplish on our Cisco 2691 router:
- All employees need to be able to have unrestricted access to the internet (I've blocked facebook with an ACL, but other than that, full access)
- There is an internal webserver that should be accessible from any internal IP address, but only a select few external IP addresses. Basically, I want to whitelist access from outside the network.
- I don't have a hardware firewall appliance.
Until now, the webserver has not needed to be accessible externally... or in any case, the occasional VPN has sufficed when needed. As such, the following config has been sufficient:
```
access-list 106 deny   ip 66.220.144.0 0.0.7.255 any
access-list 106 deny   ip ... (so on for the Facebook blocking)
access-list 106 permit ip any any
!
interface FastEthernet0/0
 ip address x.x.x.x 255.255.255.248
 ip access-group 106 in
 ip nat outside
```
_{fa0/0 is the interface with the public IP}

However, when I add...
```
ip nat inside source static tcp 192.168.0.52 80 x.x.x.x 80 extendable
```
...in order to forward web traffic to the webserver, that just opens it up entirely. That much makes sense to me. This is where I get stumped though. If I add a line to the ACL to explicitly permit (whitelist) an IP range... something like this:
```
access-list 106 permit tcp x.x.x.x 0.0.255.255 192.168.0.52 0.0.0.0 eq 80
```
... how do I then block other external access to the webserver while still maintaining unrestricted internet access for internal employees?

I tried removing the access-list 106 permit ip any any. That ended up being a very short-lived config :)

Would something like access-list 106 permit ip 192.168.0.0 0.0.0.255 any on an "outside-inbound" work?
- HopelessN00b over 11 years
  
  All employees need to be able to have unrestricted access to the internet (I've blocked facebook with an ACL, but other than that, full access) Does this seem like a good idea to you? The employees can't spend their day figuratively jerking-off on Facebook, but they can literally spend their day jerking off on... well, yeah. That's just begging for a hostile workplace lawsuit too.
- JoshP over 11 years
  
  @HopelessN00b, fwiw, I've not heard a single complaint about facebook. It's just cultural at this point I guess, and as for the other time sinks, until there is reason to implement something more draconian, I'll keep with the honor system.
- JoshP over 11 years
  
  @Zoredache, I think you may have misunderstood. I want only a few people in the world to access the box, plus all internal employees.
- Zoredache over 11 years
  
  @Josh, you are right. Somehow I read your requirements backwards.
- Zoredache over 11 years
  
  What version of IOS are you running, and what features are present? You might want to take a serious look at the zone based firewall features. cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018‌/… cisco.com/en/US/products/sw/secursw/ps1018/…
- JoshP over 11 years
  
  @Zoredache, the router is running 12.2. The ZFW features look very useful. Unfortunately, out of my reach. Is what I'm looking to do actually possible with ACLs? or am I looking to do something not possible to accomplish with ACLs?
JoshP over 11 years

Thank you so much Jason. That was the fix! Keeping track of what happens where with NAT kind of turns my brain to mush.