Quick inbound NAT access question.

[samward]

I'm running Trend Micro's OfficeScan AV software, which is wonderful by the way, but the server communitcates with the clients via HTTP on IIS (not so wonderful).

Everything's sitting behind a single static IP Cisco 801 ISDN router, and my ports are mapped in the 'ip nat inside source...' way.

I need to allow http access to a few static-ip'eed external clients, but I'm truly petrified of opening port 80 to the world at large and mapping it to my server.

Is there a quick and simple way to achieve this?

Thanks in advance.

Sam

P.S can anybody reccommed a good Cisco routing configuration book?

 

[barfoo99]

Hi Samward,

Just confirming: you need to allow *incoming* connections on port 80?

If so you could create a NAT pinhole entry to your http server machine:

ip nat inside source static tcp <internal-IP-Address> 80 interface <enternal-interface> 80

You could then just throw an access list (incoming) on your internet interface.
e.g
access-list permit tcp host <external-host-ip> host <router-external-ip> eq 80
access-list permit tcp any host <router-external-ip> est

(note: This does open you up to ack-tunneling though, but not a worry if you are running stateful inspection)

Goodluck.