Cisco PIX: Allow traffic to an internal host

Contributor Icon Contributed by abanks Date Icon January 29, 2004  
Tag Icon Tagged: Cisco firewall

Permit selected traffic to an internal host.


First, a static mapping must be made for the host. There is another recipe for this configuration.

static (inside,outside) 1.1.1.1 192.168.0.100 netmask 255.255.255.255

then:

To allow traffic, a conduit must be constructed. For example, to allow ICMP (ping) traffic to all hosts from anywhere (bad idea):
conduit permit icmp any any

To allow SSH to a specific host from anywhere:
conduit permit tcp host 1.1.1.1 eq 22 any

or

With ACLs:

access-list 100 permit tcp any host 1.1.1.1 22
access-group 100 in interface outside

Previous recipe | Next recipe |
 
  • Anonymous
    FYI: ACL's were added in IOS 5.3. All major releases after 6.3 have dropped support for conduits and you must use ACLs.
  • Anonymous
    Sorry I should have posted this above. Cisco has a tool on their website to help in converting conduits to ACLs. It works pretty well but YMMV. <span style="text-decoration:underline">Always</span> check the configuration file afterward.

    Online tool:
    https://cco-dev.cisco.com/cgi-bin/Support/Outpu...

    Downloadable tool if you have a CCO login:
    http://www.cisco.com/cgi-bin/tablebuild.pl/pix

    -Tom
  • Flibble
    or rather ICMP doesn't JUST equal PING. Opening up all of the ICMP protocol allows source quenches, router redirection and a whole host of stuff that can cause problems. If all that is required is PING then restrict the traffic to echo request <->echo reply.
blog comments powered by Disqus