Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Dropping unsollicited connections

Posted on 2012-04-04
4
Medium Priority
?
450 Views
Last Modified: 2012-04-05
Hi!

I have a cisco 1760 router which has port forwarding for ports 25, 80 and 443 for my web services. So if, let's say, I want to open a connection on port 21 of the router, it should not be allowed. The router sends a "connection refused" packet.

What I want to do, is reproduce the DROP behavior of iptables. If I open a connection on port 21, the router should not respond at all and drop the packet.

How can I achieve that?

interface FastEthernet0/0
ip address x.x.x.89 255.255.255.0
no ip unreachables
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
0
Comment
Question by:alex3948
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Nayyar HH (CCIE RS)
ID: 37808614
That is part of the TCP/IP mode of operation - If the requested service in unavailable a TCP RESET will be sent to the source in response to the SYN

Try using local-policy routing to send this type of traffic to null0: (drop packet)
0
 

Author Comment

by:alex3948
ID: 37809021
I did the command:

# ip local policy route-map null0

Still same result
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37810166
I see you have no access list on your outside interface?

Try adding this:
access-list 100 permit tcp any host x.x.x.89 eq 25
access-list 100 permit tcp any host x.x.x.89 eq 80
access-list 100 permit tcp any host x.x.x.89 eq 443
access-list 100 deny ip any any

interface FastEthernet0/0
ip access-group 100 in


I also took the liberty of hiding your public ip.
0
 

Author Comment

by:alex3948
ID: 37814311
Works like a charm, thanks !
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question