10-22-2019 04:09 PM - edited 10-22-2019 04:12 PM
My goal is to make the WAN interface of my router "stealth" to unsolicited TCP incoming packets. That is so that it simply drops packets without a match in the NAT table instead of replying ICMP host unreachable. The router is behind my ISP modem and it's NATting between the LAN and WAN. I configured Zone Based Firewall (ZBF) but a scan of the WAN still sees the ports closed instead of stealth. I'd greatly appreciate any insights. This is my configuration:
class-map type inspect match-all LAN_TO_WAN_CLASS_MAP
match access-group 1
!
policy-map type inspect LAN_TO_WAN_POLICY
class type inspect LAN_TO_WAN_CLASS_MAP
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone-pair security LAN_TO_WAN source LAN destination WAN
service-policy type inspect LAN_TO_WAN_POLICY
!
interface GigabitEthernet0/0
description WAN
ip address dhcp client-id GigabitEthernet0/0
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex auto
speed auto
!
ip forward-protocol nd
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
access-list 1 permit 192.168.0.0 0.0.255.255
Solved! Go to Solution.
10-26-2019 05:50 PM
The solution was to create a zone pair between the self zone and the WAN.
10-26-2019 05:50 PM
The solution was to create a zone pair between the self zone and the WAN.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: