Building network automation solutions

9 module online course

Start now!

Totally Stealthy Router

In response to the post detailing router response to port scans, one of my readers asked an interesting question:
“I was wondering if there was a way to prevent the router from sending those TCP RST packets administratively prohibited ICMP messages back to scanners for TCP and UDP respectively. I basically want my router to drop all packets period without replying back in any way, shape, form, or fashion.”
Here's how you do it:
  • No TCP RST packets should be sent as responses to port scans. Inbound access list dropping all IP packets achieves that.
  • Outbound traffic, both from the protected LAN as well as from the router itself (ping, telnet, DNS, NTP ...) should be allowed. Configure ip inspect with router-traffic option.
  • Disable generation of ICMP unreachables with the no ip unreachables interface configuration command.
The relevant parts of router configuration are included below:
ip inspect name Internet tcp router-traffic
ip inspect name Internet udp router-traffic
ip inspect name Internet icmp router-traffic
interface FastEthernet0/0
ip address a.b.c.d x.y.z.w
ip access-group Internet in
no ip unreachables
ip inspect Internet out
ip access-list extended Internet
deny ip any any
  • The sample router configuration is taken from a SOHO router doing PAT on the public interface. You might have to adjust the Internet access-list to your needs.
  • This article is part of You've asked for it series.

We migrated our blog a few days ago, and the commenting functionality is not there yet. In the meantime enjoy the older comments, or find our content on LinkedIn and comment there.


  1. First off, I'd like to say your blog rocks!!! I love it, thank you so much.


    I'd like to point out that I've been messing with the inspect rules -- and instead of useing tcp, udp and icmp statements, the 'ip' does all three. Just thought you could use that tidbit here. I also played with allowing specific ports before the inspect, it keeps those from being generated on the other side. (I have explicit allows in for a port both udp and tcp that I thought would be redundant in the inspect espeecially since there's tons of connections on those ports.)

    The way you implemented it gives me a great idea on keeping things simple too. I had three lists set up where you have one and I think it'll trim down my fw. Thanks again!!!

    [email protected]