?
Solved

How to open ports on Cisco 2811 for Xbox Live online gaming

Posted on 2008-11-17
11
Medium Priority
?
3,239 Views
Last Modified: 2013-11-10
I have created a second VLAN, using a T1 internet connection for patrons to use. I have successfully configured the second VLAN to dynamically assign IP addresses to connected devices. When connecting a computer, everything works correctly and the patron is able to browse the internet successfully. When connecting an XBox 360, the device fails the Xbox Live (online gaming) connection test making it impossible for patrons to play online.

When the Xbox's are connected to the original VLAN they are able to play online fine. I have tried to configure the two connections as similar as possible. One thing I have been reading about and want to try is to successfully port forward the following:
UDP/TCP 3074
UDP 88

Any other ideas of what may be going on here?
Beeman#sh run
Building configuration...
 
Current configuration : 3652 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Beeman
!
boot-start-marker
boot system flash:c2800nm-entbasek9-mz.124-23.bin
boot-end-marker
!
enable secret 
!
no aaa new-model
!
ip nbar pdlm flash:bittorrent.pdlm
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool Beeman
   network 12.4.0.0 255.255.255.0
   default-router 12.4.0.2
   dns-server 66.xx.xx.xx 4.2.2.2
!
ip dhcp pool Server3
   host 12.4.0.1 255.255.255.0
   client-identifier 0100.1837.01c6.61
   default-router 12.4.0.2
   dns-server 66.xx.xxx.xx 4.2.2.2
!
ip dhcp pool gaming
   network 172.25.1.0 255.255.255.0
   default-router 172.25.1.2
   dns-server 172.25.1.2
!
!
ip name-server 66.xx.xx.xx
ip name-server 205xx.xx.xx
ip name-server 72.xx.xx.xx
ip name-server 72.xx.xx.xx
!
!
!
!
!
!
class-map match-any p2p
 match protocol fasttrack
 match protocol gnutella
 match protocol kazaa2
 match protocol bittorrent
 match protocol edonkey
 match protocol winmx
class-map match-all ipclass2
 match access-group 102
class-map match-all ipclass1
 match access-group 101
!
!
policy-map outbound
 class ipclass2
   police cir 768000 bc 31250
     conform-action transmit
     exceed-action drop
 class p2p
   police cir 8000 bc 1000
     conform-action transmit
     exceed-action drop
policy-map inbound
 class ipclass1
   police cir 7500000 bc 62500
     conform-action transmit
     exceed-action drop
 class p2p
   police cir 8000 bc 1000
     conform-action transmit
     exceed-action drop
policy-map block-p2p
 class p2p
   police cir 8000 bc 1000
     conform-action transmit
     exceed-action drop
!
!
!
interface FastEthernet0/0
 ip address 66.xx.xx.xx 255.255.255.248
 ip nat outside
 duplex auto
 speed auto
 fair-queue
 service-policy input inbound
 service-policy output outbound
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 172.25.1.2 255.255.255.0
 ip nat inside
 ip policy route-map NEXTHOP2
!
interface FastEthernet0/1.2
 encapsulation dot1Q 2
 ip address 12.4.0.2 255.255.255.0
 ip nat inside
 ip policy route-map NEXTHOP1
 service-policy input inbound
!
interface Serial0/0/0
 ip address 72.xx.xx.xx 255.255.255.248
 ip nat outside
 encapsulation ppp
 no fair-queue
 service-module t1 timeslots 1-24
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
ip nat inside source list 103 interface FastEthernet0/0 overload
ip nat inside source list 104 interface Serial0/0/0 overload
 
!
access-list 101 permit ip any host 66.xx.xx.xx
access-list 102 permit ip host 66.xx.xx.xx any
access-list 103 permit ip 12.4.0.0 0.0.0.255 any
access-list 104 permit ip 172.25.1.0 0.0.0.255 any
access-list 105 permit ip 12.4.0.0 0.0.0.255 any
access-list 106 permit ip 172.25.1.0 0.0.0.255 any
 
route-map NEXTHOP1 permit 10
 match ip address 105
 set ip next-hop 66.xx.xx.xx
!
route-map NEXTHOP2 permit 10
 match ip address 106
 set default interface Serial0/0/0
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
!
end
 
Beeman#

Open in new window

0
Comment
Question by:thorpez
  • 6
  • 5
11 Comments
 
LVL 15

Accepted Solution

by:
bkepford earned 1500 total points
ID: 22990155
Your problem is that you have no security on the router and your NAT is setup correctly so the ports for XBox live (UDP 88 " UDP 3074 " TCP 3074) are not being blocked. If it worked on the other Internet connection with your configuration it should work on the T1.
You may have a problem with your DHCP setup. I noticed you don't have any exludes and you started your ip range at 172.25.1.2. You may have a duplicate IP causing a problem if you have any static IP address. Usually people will exclude the first 50 IPs if they can for administrative purposes
ip dhcp excluded-address 172.25.1.0 172.25.1.49
Validate your settings on your XBox. Secondly check with your provider to make sure they do not block anything.
And since you asked here is the setup for port forwarding
ip nat inside source  static tcp <ip add of XBox> 3074 <extnernal IP or interface> 3074 extendable
ip nat inside source  static udp <ip add of XBox> 3074 <extnernal IP or interface> 3074 extendable
ip nat inside source  static udp <ip add of XBox> 88 <extnernal IP or interface> 88 extendable

0
 

Author Comment

by:thorpez
ID: 22991391
What I was hoping to avoid was obtaining the MAC for each device (Xbox) connected to this VLAN.

Is there any way to open these ports to a DHCP pool?
0
 
LVL 15

Assisted Solution

by:bkepford
bkepford earned 1500 total points
ID: 22991416
What I am saying is that all your ports are open. You aren't blocking anything, Port forwarding is a one to one thing so you can't forward the ports.
Did you do the exclude command and the reload the XBox and see if that fixes it?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:thorpez
ID: 22991981
Gotcha. I'll give it a try tomorrow. I'll be @ work in ~12 hours.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 23007449
Any word?
0
 

Author Comment

by:thorpez
ID: 23009101
I've made an update. Though this is at a different facility the access-list structure will be the same for all. Issue I've seen thus far is an MTU error when trying to test Xbox Live.

Best part thus far is this seems to effectively disable Limewire from connecting. Just need to make sure all other services are functional.

Thanks.


LIProuter#sh run
Building configuration...
 
Current configuration : 4656 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LIProuter
!
boot-start-marker
boot system flash c2800nm-entbasek9-mz.124-23.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 
!
no aaa new-model
!
ip nbar pdlm bittorrent.pdlm
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool LIP
   network 12.2.0.0 255.255.255.0
   default-router 12.2.0.2
   dns-server 66.xx.xx.xx 205.xx.xx.xx
!
ip dhcp pool SERVER1
   host 12.2.0.1 255.255.255.0
   client-identifier 0100.3048.8f7a.bf
   default-router 12.2.0.2
   dns-server 66.xx.xx.xx 205.xx.xx.xx
!
!
ip domain name yourdomain.com
ip name-server 66.xx.xx.xx
ip name-server 205.xx.xx.xx
!
!
!
username enable privilege 15 secret 
!
!
!
class-map match-any p2p
 match protocol fasttrack
 match protocol edonkey
 match protocol kazaa2
 match protocol winmx
 match protocol bittorrent
 match protocol gnutella
 match protocol http url "*/.hash*"
 match protocol http url "*/.message*"
 match protocol http url "*kmdstart*"
class-map match-all ipclass2
 match access-group 102
class-map match-all ipclass1
 match access-group 101
!
!
policy-map outbound
 class ipclass2
   police cir 768000 bc 38400
     conform-action transmit
     exceed-action drop
 class p2p
   police cir 8000 bc 1000
     conform-action transmit
     exceed-action drop
 class class-default
policy-map inbound
 class ipclass1
   police cir 7680000 bc 125000
     conform-action transmit
     exceed-action drop
 class p2p
   police cir 8000 bc 1000
     conform-action transmit
     exceed-action drop
policy-map block-p2p
 class p2p
   police cir 8000 bc 1000
     conform-action transmit
     exceed-action drop
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 66.xx.xx.xx 255.255.255.240
 ip access-group 104 in
 ip nat outside
 duplex auto
 speed auto
 fair-queue
 service-policy input inbound
 service-policy output outbound
!
interface FastEthernet0/1
 ip address 12.2.0.2 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
 fair-queue
 service-policy input inbound
 service-policy output outbound
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/1/0
 no ip address
 shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx <<ISP Default Gateway>>
ip dns server
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet0/0 overload
!
access-list 101 permit ip any host xx.xx <<ISP Default Gateway>>
access-list 102 permit ip host xx.xx <<ISP Default Gateway>> any
access-list 103 permit ip 12.2.0.0 0.0.0.255 any
access-list 104 permit tcp any eq www any
access-list 104 permit tcp any eq 443 any
access-list 104 permit tcp any eq 6112 any
access-list 104 permit tcp any eq 3074 any
access-list 104 permit tcp any eq 3724 any
access-list 104 permit udp any eq 3724 any
access-list 104 permit udp any eq 3074 any
access-list 104 permit udp any eq 88 any
access-list 104 permit udp any eq 6112 any
access-list 104 permit udp any eq domain any
access-list 104 permit tcp any any eq www
access-list 104 permit tcp any any eq 443
access-list 104 permit tcp any any eq 6112
access-list 104 permit tcp any any eq 3074
access-list 104 permit tcp any any eq 3724
access-list 104 permit udp any any eq 3724
access-list 104 permit udp any any eq 3074
access-list 104 permit udp any any eq 88
access-list 104 permit udp any any eq 6112
access-list 104 permit icmp any any
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use
.
 
For more information about SDM please follow the instructions in the QUICK START
 
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
 
LIProuter#
LIProuter#sh ip access-list 104
Extended IP access list 104
    10 permit tcp any eq www any (84786 matches)
    20 permit tcp any eq 443 any (1958 matches)
    30 permit tcp any eq 6112 any
    40 permit tcp any eq 3074 any
    50 permit tcp any eq 3724 any
    60 permit udp any eq 3724 any
    70 permit udp any eq 3074 any (9706 matches)
    80 permit udp any eq 88 any
    90 permit udp any eq 6112 any (3 matches)
    100 permit udp any eq domain any (2719 matches)
    110 permit tcp any any eq www (6 matches)
    120 permit tcp any any eq 443 (3 matches)
    130 permit tcp any any eq 6112
    140 permit tcp any any eq 3074
    150 permit tcp any any eq 3724
    160 permit udp any any eq 3724
    170 permit udp any any eq 3074
    180 permit udp any any eq 88
    190 permit udp any any eq 6112
    200 permit icmp any any (19 matches)

Open in new window

0
 
LVL 15

Expert Comment

by:bkepford
ID: 23038344
Try adding this to inspect outgoing tcp traffic to allow it back in.
ip inspect name mysite tcp
!
interface FastEthernet0/1
  ip inspect mysite in

Here is a link for configuring the IOS CBAC firewall
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml 
 
0
 
LVL 15

Expert Comment

by:bkepford
ID: 23038353
Oh and don't forget udp
ip inspect name mysite udp
 
 
0
 

Author Comment

by:thorpez
ID: 23070882
IP inspect is not a recognized command for this router. Any ideas? Things seem to be functioning OK at the moment. What's the purpose of this additional command?
0
 
LVL 15

Expert Comment

by:bkepford
ID: 23070973
It sets up for more detailed inspection of traffic flows as they go out to allow them back in. It allows for better security and an easier setup of a stateful firewall. But the reason it does not take it is your IOS feature set doesn't support the command.
If it works let it be.
0
 

Author Comment

by:thorpez
ID: 23072738
Thanks for the help!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question