Dropping unsollicited connections

alex3948 used Ask the Experts™

I have a cisco 1760 router which has port forwarding for ports 25, 80 and 443 for my web services. So if, let's say, I want to open a connection on port 21 of the router, it should not be allowed. The router sends a "connection refused" packet.

What I want to do, is reproduce the DROP behavior of iptables. If I open a connection on port 21, the router should not respond at all and drop the packet.

How can I achieve that?

interface FastEthernet0/0
ip address x.x.x.89
no ip unreachables
ip nat outside
ip virtual-reassembly
speed auto
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

That is part of the TCP/IP mode of operation - If the requested service in unavailable a TCP RESET will be sent to the source in response to the SYN

Try using local-policy routing to send this type of traffic to null0: (drop packet)


I did the command:

# ip local policy route-map null0

Still same result
Senior infrastructure engineer
Top Expert 2012
I see you have no access list on your outside interface?

Try adding this:
access-list 100 permit tcp any host x.x.x.89 eq 25
access-list 100 permit tcp any host x.x.x.89 eq 80
access-list 100 permit tcp any host x.x.x.89 eq 443
access-list 100 deny ip any any

interface FastEthernet0/0
ip access-group 100 in

I also took the liberty of hiding your public ip.


Works like a charm, thanks !

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial