thorpez
asked on
How to open ports on Cisco 2811 for Xbox Live online gaming
I have created a second VLAN, using a T1 internet connection for patrons to use. I have successfully configured the second VLAN to dynamically assign IP addresses to connected devices. When connecting a computer, everything works correctly and the patron is able to browse the internet successfully. When connecting an XBox 360, the device fails the Xbox Live (online gaming) connection test making it impossible for patrons to play online.
When the Xbox's are connected to the original VLAN they are able to play online fine. I have tried to configure the two connections as similar as possible. One thing I have been reading about and want to try is to successfully port forward the following:
UDP/TCP 3074
UDP 88
Any other ideas of what may be going on here?
When the Xbox's are connected to the original VLAN they are able to play online fine. I have tried to configure the two connections as similar as possible. One thing I have been reading about and want to try is to successfully port forward the following:
UDP/TCP 3074
UDP 88
Any other ideas of what may be going on here?
Beeman#sh run
Building configuration...
Current configuration : 3652 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Beeman
!
boot-start-marker
boot system flash:c2800nm-entbasek9-mz.124-23.bin
boot-end-marker
!
enable secret
!
no aaa new-model
!
ip nbar pdlm flash:bittorrent.pdlm
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool Beeman
network 12.4.0.0 255.255.255.0
default-router 12.4.0.2
dns-server 66.xx.xx.xx 4.2.2.2
!
ip dhcp pool Server3
host 12.4.0.1 255.255.255.0
client-identifier 0100.1837.01c6.61
default-router 12.4.0.2
dns-server 66.xx.xxx.xx 4.2.2.2
!
ip dhcp pool gaming
network 172.25.1.0 255.255.255.0
default-router 172.25.1.2
dns-server 172.25.1.2
!
!
ip name-server 66.xx.xx.xx
ip name-server 205xx.xx.xx
ip name-server 72.xx.xx.xx
ip name-server 72.xx.xx.xx
!
!
!
!
!
!
class-map match-any p2p
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol bittorrent
match protocol edonkey
match protocol winmx
class-map match-all ipclass2
match access-group 102
class-map match-all ipclass1
match access-group 101
!
!
policy-map outbound
class ipclass2
police cir 768000 bc 31250
conform-action transmit
exceed-action drop
class p2p
police cir 8000 bc 1000
conform-action transmit
exceed-action drop
policy-map inbound
class ipclass1
police cir 7500000 bc 62500
conform-action transmit
exceed-action drop
class p2p
police cir 8000 bc 1000
conform-action transmit
exceed-action drop
policy-map block-p2p
class p2p
police cir 8000 bc 1000
conform-action transmit
exceed-action drop
!
!
!
interface FastEthernet0/0
ip address 66.xx.xx.xx 255.255.255.248
ip nat outside
duplex auto
speed auto
fair-queue
service-policy input inbound
service-policy output outbound
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 172.25.1.2 255.255.255.0
ip nat inside
ip policy route-map NEXTHOP2
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 12.4.0.2 255.255.255.0
ip nat inside
ip policy route-map NEXTHOP1
service-policy input inbound
!
interface Serial0/0/0
ip address 72.xx.xx.xx 255.255.255.248
ip nat outside
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
ip nat inside source list 103 interface FastEthernet0/0 overload
ip nat inside source list 104 interface Serial0/0/0 overload
!
access-list 101 permit ip any host 66.xx.xx.xx
access-list 102 permit ip host 66.xx.xx.xx any
access-list 103 permit ip 12.4.0.0 0.0.0.255 any
access-list 104 permit ip 172.25.1.0 0.0.0.255 any
access-list 105 permit ip 12.4.0.0 0.0.0.255 any
access-list 106 permit ip 172.25.1.0 0.0.0.255 any
route-map NEXTHOP1 permit 10
match ip address 105
set ip next-hop 66.xx.xx.xx
!
route-map NEXTHOP2 permit 10
match ip address 106
set default interface Serial0/0/0
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end
Beeman#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gotcha. I'll give it a try tomorrow. I'll be @ work in ~12 hours.
Any word?
ASKER
I've made an update. Though this is at a different facility the access-list structure will be the same for all. Issue I've seen thus far is an MTU error when trying to test Xbox Live.
Best part thus far is this seems to effectively disable Limewire from connecting. Just need to make sure all other services are functional.
Thanks.
Best part thus far is this seems to effectively disable Limewire from connecting. Just need to make sure all other services are functional.
Thanks.
LIProuter#sh run
Building configuration...
Current configuration : 4656 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LIProuter
!
boot-start-marker
boot system flash c2800nm-entbasek9-mz.124-23.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret
!
no aaa new-model
!
ip nbar pdlm bittorrent.pdlm
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool LIP
network 12.2.0.0 255.255.255.0
default-router 12.2.0.2
dns-server 66.xx.xx.xx 205.xx.xx.xx
!
ip dhcp pool SERVER1
host 12.2.0.1 255.255.255.0
client-identifier 0100.3048.8f7a.bf
default-router 12.2.0.2
dns-server 66.xx.xx.xx 205.xx.xx.xx
!
!
ip domain name yourdomain.com
ip name-server 66.xx.xx.xx
ip name-server 205.xx.xx.xx
!
!
!
username enable privilege 15 secret
!
!
!
class-map match-any p2p
match protocol fasttrack
match protocol edonkey
match protocol kazaa2
match protocol winmx
match protocol bittorrent
match protocol gnutella
match protocol http url "*/.hash*"
match protocol http url "*/.message*"
match protocol http url "*kmdstart*"
class-map match-all ipclass2
match access-group 102
class-map match-all ipclass1
match access-group 101
!
!
policy-map outbound
class ipclass2
police cir 768000 bc 38400
conform-action transmit
exceed-action drop
class p2p
police cir 8000 bc 1000
conform-action transmit
exceed-action drop
class class-default
policy-map inbound
class ipclass1
police cir 7680000 bc 125000
conform-action transmit
exceed-action drop
class p2p
police cir 8000 bc 1000
conform-action transmit
exceed-action drop
policy-map block-p2p
class p2p
police cir 8000 bc 1000
conform-action transmit
exceed-action drop
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 66.xx.xx.xx 255.255.255.240
ip access-group 104 in
ip nat outside
duplex auto
speed auto
fair-queue
service-policy input inbound
service-policy output outbound
!
interface FastEthernet0/1
ip address 12.2.0.2 255.255.255.0
ip nat inside
duplex auto
speed auto
fair-queue
service-policy input inbound
service-policy output outbound
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx <<ISP Default Gateway>>
ip dns server
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet0/0 overload
!
access-list 101 permit ip any host xx.xx <<ISP Default Gateway>>
access-list 102 permit ip host xx.xx <<ISP Default Gateway>> any
access-list 103 permit ip 12.2.0.0 0.0.0.255 any
access-list 104 permit tcp any eq www any
access-list 104 permit tcp any eq 443 any
access-list 104 permit tcp any eq 6112 any
access-list 104 permit tcp any eq 3074 any
access-list 104 permit tcp any eq 3724 any
access-list 104 permit udp any eq 3724 any
access-list 104 permit udp any eq 3074 any
access-list 104 permit udp any eq 88 any
access-list 104 permit udp any eq 6112 any
access-list 104 permit udp any eq domain any
access-list 104 permit tcp any any eq www
access-list 104 permit tcp any any eq 443
access-list 104 permit tcp any any eq 6112
access-list 104 permit tcp any any eq 3074
access-list 104 permit tcp any any eq 3724
access-list 104 permit udp any any eq 3724
access-list 104 permit udp any any eq 3074
access-list 104 permit udp any any eq 88
access-list 104 permit udp any any eq 6112
access-list 104 permit icmp any any
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
LIProuter#
LIProuter#sh ip access-list 104
Extended IP access list 104
10 permit tcp any eq www any (84786 matches)
20 permit tcp any eq 443 any (1958 matches)
30 permit tcp any eq 6112 any
40 permit tcp any eq 3074 any
50 permit tcp any eq 3724 any
60 permit udp any eq 3724 any
70 permit udp any eq 3074 any (9706 matches)
80 permit udp any eq 88 any
90 permit udp any eq 6112 any (3 matches)
100 permit udp any eq domain any (2719 matches)
110 permit tcp any any eq www (6 matches)
120 permit tcp any any eq 443 (3 matches)
130 permit tcp any any eq 6112
140 permit tcp any any eq 3074
150 permit tcp any any eq 3724
160 permit udp any any eq 3724
170 permit udp any any eq 3074
180 permit udp any any eq 88
190 permit udp any any eq 6112
200 permit icmp any any (19 matches)
Try adding this to inspect outgoing tcp traffic to allow it back in.
ip inspect name mysite tcp
!
interface FastEthernet0/1
ip inspect mysite in
Here is a link for configuring the IOS CBAC firewall
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
ip inspect name mysite tcp
!
interface FastEthernet0/1
ip inspect mysite in
Here is a link for configuring the IOS CBAC firewall
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
Oh and don't forget udp
ip inspect name mysite udp
ip inspect name mysite udp
ASKER
IP inspect is not a recognized command for this router. Any ideas? Things seem to be functioning OK at the moment. What's the purpose of this additional command?
It sets up for more detailed inspection of traffic flows as they go out to allow them back in. It allows for better security and an easier setup of a stateful firewall. But the reason it does not take it is your IOS feature set doesn't support the command.
If it works let it be.
If it works let it be.
ASKER
Thanks for the help!
ASKER
Is there any way to open these ports to a DHCP pool?