Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 453
  • Last Modified:

Dropping unsollicited connections


I have a cisco 1760 router which has port forwarding for ports 25, 80 and 443 for my web services. So if, let's say, I want to open a connection on port 21 of the router, it should not be allowed. The router sends a "connection refused" packet.

What I want to do, is reproduce the DROP behavior of iptables. If I open a connection on port 21, the router should not respond at all and drop the packet.

How can I achieve that?

interface FastEthernet0/0
ip address x.x.x.89
no ip unreachables
ip nat outside
ip virtual-reassembly
speed auto
  • 2
1 Solution
Nayyar HH (CCIE RS)Network ArchitectCommented:
That is part of the TCP/IP mode of operation - If the requested service in unavailable a TCP RESET will be sent to the source in response to the SYN

Try using local-policy routing to send this type of traffic to null0: (drop packet)
alex3948Author Commented:
I did the command:

# ip local policy route-map null0

Still same result
Ernie BeekExpertCommented:
I see you have no access list on your outside interface?

Try adding this:
access-list 100 permit tcp any host x.x.x.89 eq 25
access-list 100 permit tcp any host x.x.x.89 eq 80
access-list 100 permit tcp any host x.x.x.89 eq 443
access-list 100 deny ip any any

interface FastEthernet0/0
ip access-group 100 in

I also took the liberty of hiding your public ip.
alex3948Author Commented:
Works like a charm, thanks !

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now