This is our company's internet gateway router. This is what I want to accomplish on our Cisco 2691 router:

• All employees need to be able to have unrestricted access to the internet (I've blocked facebook with an ACL, but other than that, full access)
• There is an internal webserver that should be accessible from any internal IP address, but only a select few external IP addresses. Basically, I want to whitelist access from outside the network.
• I don't have a hardware firewall appliance.

Until now, the webserver has not needed to be accessible externally... or in any case, the occasional VPN has sufficed when needed. As such, the following config has been sufficient:

access-list 106 deny   ip 66.220.144.0 0.0.7.255 any
access-list 106 deny   ip ... (so on for the Facebook blocking)
access-list 106 permit ip any any
!
interface FastEthernet0/0
 ip address x.x.x.x 255.255.255.248
 ip access-group 106 in
 ip nat outside

_{fa0/0 is the interface with the public IP}

However, when I add...

ip nat inside source static tcp 192.168.0.52 80 x.x.x.x 80 extendable

...in order to forward web traffic to the webserver, that just opens it up entirely. That much makes sense to me. This is where I get stumped though. If I add a line to the ACL to explicitly permit (whitelist) an IP range... something like this:

access-list 106 permit tcp x.x.x.x 0.0.255.255 192.168.0.52 0.0.0.0 eq 80

... how do I then block other external access to the webserver while still maintaining unrestricted internet access for internal employees?

I tried removing the access-list 106 permit ip any any. That ended up being a very short-lived config :)

Would something like access-list 106 permit ip 192.168.0.0 0.0.0.255 any on an "outside-inbound" work?