10-22-2019 04:09 PM - edited 10-22-2019 04:12 PM
My goal is to make the WAN interface of my router "stealth" to unsolicited TCP incoming packets. That is so that it simply drops packets without a match in the NAT table instead of replying ICMP host unreachable. The router is behind my ISP modem and it's NATting between the LAN and WAN. I configured Zone Based Firewall (ZBF) but a scan of the WAN still sees the ports closed instead of stealth. I'd greatly appreciate any insights. This is my configuration:
class-map type inspect match-all LAN_TO_WAN_CLASS_MAP
match access-group 1
!
policy-map type inspect LAN_TO_WAN_POLICY
class type inspect LAN_TO_WAN_CLASS_MAP
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone-pair security LAN_TO_WAN source LAN destination WAN
service-policy type inspect LAN_TO_WAN_POLICY
!
interface GigabitEthernet0/0
description WAN
ip address dhcp client-id GigabitEthernet0/0
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex auto
speed auto
!
ip forward-protocol nd
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
access-list 1 permit 192.168.0.0 0.0.255.255
Solved! Go to Solution.
10-26-2019 05:50 PM
The solution was to create a zone pair between the self zone and the WAN.
10-26-2019 05:50 PM
The solution was to create a zone pair between the self zone and the WAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide