cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1651
Views
0
Helpful
1
Replies

How to drop unsolicited packets with ZBF?

tresdodi
Level 1
Level 1

My goal is to make the WAN interface of my router "stealth" to unsolicited TCP incoming packets. That is so that it simply drops packets without a match in the NAT table instead of replying ICMP host unreachable. The router is behind my ISP modem and it's NATting between the LAN and WAN. I configured Zone Based Firewall (ZBF) but a scan of the WAN still sees the ports closed instead of stealth. I'd greatly appreciate any insights. This is my configuration:

 

class-map type inspect match-all LAN_TO_WAN_CLASS_MAP

match access-group 1

!

policy-map type inspect LAN_TO_WAN_POLICY

class type inspect LAN_TO_WAN_CLASS_MAP

  inspect

class class-default

  drop log

!

zone security LAN

zone security WAN

zone-pair security LAN_TO_WAN source LAN destination WAN

service-policy type inspect LAN_TO_WAN_POLICY

!

interface GigabitEthernet0/0

description WAN

ip address dhcp client-id GigabitEthernet0/0

ip nat outside

ip virtual-reassembly in

zone-member security WAN

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

description LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security LAN

duplex auto

speed auto

!

ip forward-protocol nd

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

!

access-list 1 permit 192.168.0.0 0.0.255.255

1 Accepted Solution

Accepted Solutions

tresdodi
Level 1
Level 1

The solution was to create a zone pair between the self zone and the WAN.

View solution in original post

1 Reply 1

tresdodi
Level 1
Level 1

The solution was to create a zone pair between the self zone and the WAN.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: