I want to allow access to a service on an internal server by users on the internet.
I have a cisco 1700 with version 12.3.
I believe I need to add a NAT statement to my config and at least 1 hole in my access-list rules to allow access to the service.
For the sake of this post I'm using POP3 as the service.
My (part) config follows with the lines I think I need to add with **** at the begining:
interface FastEthernet0 description Connection to Internet ip address "WAN IP" 255.255.255.248 ip access-group 199 in ip nat outside duplex auto speed auto crypto map cm-cryptomap ! interface FastEthernet1 no ip address ! interface Vlan1 ip address "host ip" 255.255.255.0 ip access-group 101 in ip nat inside ip inspect fwinspect in ! ip nat inside source route-map nonat interface FastEthernet0 overload
***ip nat inside source static "mail server" 110 "WAN IP" 110 extendable ! access-list 101 permit ip any "local net" 0.0.0.255 access-list 101 permit tcp host "mailserver" any eq smtp access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 8080 access-list 101 permit tcp any any eq ftp access-list 101 permit tcp any any eq ftp-data access-list 101 permit tcp any any eq nntp access-list 101 permit udp any any eq domain access-list 101 permit tcp any any eq pop3 access-list 101 permit tcp any any eq 443 access-list 101 permit tcp any any eq 1863 access-list 101 permit tcp any any eq telnet access-list 101 permit tcp any any eq 123 access-list 101 permit tcp any any eq 8443 access-list 101 permit tcp any any eq 8005 ***** access-list 101 permit tcp "mail server" any eq 110 access-list 101 deny ip any any access-list 199 remark SDM_ACL Category=17 access-list 199 permit vpn stuff ****access-list 199 permit any "WAN IP" eq 110Thanks for any help you can offer.
Mike