I figured this would be an easy one, but I've had a good amount of trouble finding this answer myself. I have a Cisco router that I'm setting up to have my Internet connection on one interface (external) that obtains an IP via DHCP, and my LAN on another interface (internal) that has an internal static IP. I also have port 80 forwarded to an internal address (using "ip nat inside source static...interface fa0/0...).
Everything works properly, but I have a question about the ACL I am applying inbound to the external interface. I currently have this: "permit tcp any any eq www". This works, but I am wondering if this is secure. Typically I would specify the external IP to match more specifically, but I don't necessarily have the IP since it's learned via DHCP. Is there a way to accurately specify this, or is this permit line appropriate.
There should not be any security problem with this. You are running NAT anyway, with only the one port forwarded... so the only traffic that should pass is port 80 traffic, and it will always go to the IP you mapped.