Cisco PIX: Allow traffic to an internal host

Contributed by abanks

January 29, 2004

Tagged: Cisco firewall

Permit selected traffic to an internal host.

First, a static mapping must be made for the host. There is another recipe for this configuration.

static (inside,outside) 1.1.1.1 192.168.0.100 netmask 255.255.255.255

then:

To allow traffic, a conduit must be constructed. For example, to allow ICMP (ping) traffic to all hosts from anywhere (bad idea):
conduit permit icmp any any

To allow SSH to a specific host from anywhere:
conduit permit tcp host 1.1.1.1 eq 22 any

With ACLs:

access-list 100 permit tcp any host 1.1.1.1 22 access-group 100 in interface outside

Previous recipe | Next recipe |

Viewing 3 Comments

Anonymous 4 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

FYI: ACL's were added in IOS 5.3. All major releases after 6.3 have dropped support for conduits and you must use ACLs.

reply edit reblog flag

Anonymous 4 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Sorry I should have posted this above. Cisco has a tool on their website to help in converting conduits to ACLs. It works pretty well but YMMV. <span style="text-decoration:underline">Always</span> check the configuration file afterward.

Online tool:
https://cco-dev.cisco.com/cgi-bin/Support/Outpu...

Downloadable tool if you have a CCO login:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix

-Tom

reply edit reblog flag

Flibble 4 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

or rather ICMP doesn't JUST equal PING. Opening up all of the ICMP protocol allows source quenches, router redirection and a whole host of stuff that can cause problems. If all that is required is PING then restrict the traffic to echo request <->echo reply.

reply edit reblog flag

CATEGORIES