My goal is to make the WAN interface of my router "stealth" to unsolicited TCP incoming packets. That is so that it simply drops packets without a match in the NAT table instead of replying ICMP host unreachable. The router is behind my ISP modem and it's NATting between the LAN and WAN. I configured Zone Based Firewall (ZBF) but a scan of the WAN still sees the ports closed instead of stealth. I'd greatly appreciate any insights. This is my configuration:

class-map type inspect match-all LAN_TO_WAN_CLASS_MAP

match access-group 1

!

policy-map type inspect LAN_TO_WAN_POLICY

class type inspect LAN_TO_WAN_CLASS_MAP

  inspect

class class-default

  drop log

!

zone security LAN

zone security WAN

zone-pair security LAN_TO_WAN source LAN destination WAN

service-policy type inspect LAN_TO_WAN_POLICY

!

interface GigabitEthernet0/0

description WAN

ip address dhcp client-id GigabitEthernet0/0

ip nat outside

ip virtual-reassembly in

zone-member security WAN

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

description LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security LAN

duplex auto

speed auto

!

ip forward-protocol nd

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

!

access-list 1 permit 192.168.0.0 0.0.255.255