Cisco PIX: Allow Traffic to an Internal Host

The following tech-recipe describes how to permit selected traffic to an internal host.


First, a static mapping must be made for the host. There is another tech-recipe for this configuration.

static (inside,outside) 1.1.1.1 192.168.0.100 netmask 255.255.255.255

To allow traffic, a conduit must be constructed. For example, to allow ICMP (ping) traffic to all hosts from anywhere (bad idea), use the following:
conduit permit icmp any any

To allow SSH to a specific host from anywhere, use the following:
conduit permit tcp host 1.1.1.1 eq 22 any

With ACLs, type the following:

access-list 100 permit tcp any host 1.1.1.1 22
access-group 100 in interface outside

The Conversation

Follow the reactions below and share your own thoughts.