andrewprouse
asked on
Cisco 877w Xbox Live
I'm having an issue trying to get my Xbox 360 to work on Xbox live with my Cisco 877w router. I have a Virgin Cable Modem plugged into FA0 (Vlan2) and Access List 100 applied inbound on Vlan 2. When Access List 100 is in effect the xbox wont connect to xbox live, but when I remove it the xbox will connect.
Although the Xbox connects when I remove the inbound ACL, I am getting messages on the Xbox saying that I need an 'open NAT configuration' for the best online experience and it mentions enabling UPnP. Any ideas???
From what I've read you've just got to allow ports 1307TCP, 1307UDP and 88UDP to and from the xbox.
Any ideas how I can get the Xbox working properly through my 877??
(my xbox is on dhcp)
cheers, Andy
Current configuration : 2942 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname APR-ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$gog2$lnvp0nLZSye1ep6JBc
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid PANDY & BERRY
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 12345665432112345665432112
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.40 192.168.1.254
!
ip dhcp pool POOL_V1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 208.67.222.222
lease 0 12
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid PANDY & BERRY
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan2
ip address dhcp
ip access-group 100 in
ip nat outside
ip virtual-reassembly
!
interface BVI1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1460
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Vlan2 overload
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
!
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit udp any any eq 88
access-list 100 permit udp any any eq 3074
access-list 100 permit tcp any any eq 3074
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq bootpc
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
password !xper1a!
logging synchronous
login
terminal-type mon
!
scheduler max-task-time 5000
end
Although the Xbox connects when I remove the inbound ACL, I am getting messages on the Xbox saying that I need an 'open NAT configuration' for the best online experience and it mentions enabling UPnP. Any ideas???
From what I've read you've just got to allow ports 1307TCP, 1307UDP and 88UDP to and from the xbox.
Any ideas how I can get the Xbox working properly through my 877??
(my xbox is on dhcp)
cheers, Andy
Current configuration : 2942 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname APR-ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$gog2$lnvp0nLZSye1ep6JBc
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid PANDY & BERRY
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 12345665432112345665432112
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.40 192.168.1.254
!
ip dhcp pool POOL_V1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 208.67.222.222
lease 0 12
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid PANDY & BERRY
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan2
ip address dhcp
ip access-group 100 in
ip nat outside
ip virtual-reassembly
!
interface BVI1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1460
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Vlan2 overload
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
!
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit udp any any eq 88
access-list 100 permit udp any any eq 3074
access-list 100 permit tcp any any eq 3074
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq bootpc
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
password !xper1a!
logging synchronous
login
terminal-type mon
!
scheduler max-task-time 5000
end
and after write and reload the router....
ASKER
Do I have to assign a static IP to the Xbox? Then would the ip 192.168.1.x be the Xbox IP?
Cheers, Andy
Cheers, Andy
ASKER
I assigned 192.168.1.2 to the xbox and pasted those 3 lines in that you recommended (abviously replacing .x with .2) into the router then reloaded the router. Thing is, the xbox now wont connect to XB Live (with ACL 100 in place).
Any ideas?
Any ideas?
please show us the following:
sh ip nat trans
sh access-list
sh ip nat trans
sh access-list
ASKER
sorry for the delay...
APR-ROUTER#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
udp 94.171.196.47:88 192.168.1.2:88 --- ---
tcp 94.171.196.47:3074 192.168.1.2:3074 --- ---
udp 94.171.196.47:3074 192.168.1.2:3074 --- ---
tcp 94.171.196.47:5780 192.168.1.2:5780 88.221.84.19:80 88.221.84.19:80
tcp 94.171.196.47:10714 192.168.1.2:10714 88.221.161.216:443 88.221.161.216:443
tcp 94.171.196.47:11000 192.168.1.2:11000 88.221.84.19:80 88.221.84.19:80
tcp 94.171.196.47:15154 192.168.1.2:15154 88.221.84.19:80 88.221.84.19:80
tcp 94.171.196.47:16495 192.168.1.2:16495 195.24.232.134:80 195.24.232.134:80
tcp 94.171.196.47:18163 192.168.1.2:18163 195.24.232.207:443 195.24.232.207:443
tcp 94.171.196.47:24051 192.168.1.2:24051 87.248.211.232:80 87.248.211.232:80
tcp 94.171.196.47:24497 192.168.1.2:24497 88.221.84.11:80 88.221.84.11:80
tcp 94.171.196.47:26928 192.168.1.2:26928 87.248.211.225:80 87.248.211.225:80
tcp 94.171.196.47:27038 192.168.1.2:27038 88.221.84.40:80 88.221.84.40:80
tcp 94.171.196.47:37581 192.168.1.2:37581 195.24.233.53:443 195.24.233.53:443
tcp 94.171.196.47:40062 192.168.1.2:40062 82.96.58.9:80 82.96.58.9:80
tcp 94.171.196.47:44625 192.168.1.2:44625 88.221.84.40:80 88.221.84.40:80
tcp 94.171.196.47:48801 192.168.1.2:48801 88.221.84.11:80 88.221.84.11:80
tcp 94.171.196.47:54620 192.168.1.2:54620 195.24.232.203:443 195.24.232.203:443
tcp 94.171.196.47:58664 192.168.1.2:58664 88.221.161.216:443 88.221.161.216:443
tcp 94.171.196.47:1735 192.168.1.11:1735 216.239.59.165:80 216.239.59.165:80
gre 94.171.196.47:2812 192.168.1.16:2812 217.36.231.143:2812 217.36.231.143:2812
tcp 94.171.196.47:51401 192.168.1.16:51401 217.36.231.143:1723 217.36.231.143:1723
tcp 94.171.196.47:51677 192.168.1.16:51677 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51678 192.168.1.16:51678 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51679 192.168.1.16:51679 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51680 192.168.1.16:51680 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51681 192.168.1.16:51681 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51682 192.168.1.16:51682 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51683 192.168.1.16:51683 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51684 192.168.1.16:51684 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51685 192.168.1.16:51685 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51686 192.168.1.16:51686 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51687 192.168.1.16:51687 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51688 192.168.1.16:51688 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51689 192.168.1.16:51689 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51690 192.168.1.16:51690 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51691 192.168.1.16:51691 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51692 192.168.1.16:51692 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51693 192.168.1.16:51693 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51694 192.168.1.16:51694 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51695 192.168.1.16:51695 66.235.133.33:80 66.235.133.33:80
gre 94.171.196.47:52329 192.168.1.16:52329 217.36.231.143:52329 217.36.231.143:52329
APR-ROUTER#
APR-ROUTER#
APR-ROUTER#
APR-ROUTER#sh access-list
Extended IP access list 100
10 permit tcp any any established (3634 matches)
20 permit gre any any
30 permit esp any any
40 permit icmp any any
50 permit tcp any eq ftp-data any
60 permit tcp any eq ftp any
70 permit tcp any any eq telnet
80 permit udp any eq domain any (206 matches)
90 permit tcp any eq domain any
100 permit udp any any eq 88
110 permit udp any any eq 3074
120 permit tcp any any eq 3074
130 permit tcp any any eq domain
140 permit udp any any eq domain
150 permit tcp any any eq www
160 permit udp any any eq bootpc (4 matches)
Extended IP access list NAT
10 permit ip 192.168.1.0 0.0.0.255 any (1438 matches)
20 permit tcp any any eq 3074
30 permit udp any any eq 3074
40 permit udp any any eq 88
APR-ROUTER#
APR-ROUTER#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
udp 94.171.196.47:88 192.168.1.2:88 --- ---
tcp 94.171.196.47:3074 192.168.1.2:3074 --- ---
udp 94.171.196.47:3074 192.168.1.2:3074 --- ---
tcp 94.171.196.47:5780 192.168.1.2:5780 88.221.84.19:80 88.221.84.19:80
tcp 94.171.196.47:10714 192.168.1.2:10714 88.221.161.216:443 88.221.161.216:443
tcp 94.171.196.47:11000 192.168.1.2:11000 88.221.84.19:80 88.221.84.19:80
tcp 94.171.196.47:15154 192.168.1.2:15154 88.221.84.19:80 88.221.84.19:80
tcp 94.171.196.47:16495 192.168.1.2:16495 195.24.232.134:80 195.24.232.134:80
tcp 94.171.196.47:18163 192.168.1.2:18163 195.24.232.207:443 195.24.232.207:443
tcp 94.171.196.47:24051 192.168.1.2:24051 87.248.211.232:80 87.248.211.232:80
tcp 94.171.196.47:24497 192.168.1.2:24497 88.221.84.11:80 88.221.84.11:80
tcp 94.171.196.47:26928 192.168.1.2:26928 87.248.211.225:80 87.248.211.225:80
tcp 94.171.196.47:27038 192.168.1.2:27038 88.221.84.40:80 88.221.84.40:80
tcp 94.171.196.47:37581 192.168.1.2:37581 195.24.233.53:443 195.24.233.53:443
tcp 94.171.196.47:40062 192.168.1.2:40062 82.96.58.9:80 82.96.58.9:80
tcp 94.171.196.47:44625 192.168.1.2:44625 88.221.84.40:80 88.221.84.40:80
tcp 94.171.196.47:48801 192.168.1.2:48801 88.221.84.11:80 88.221.84.11:80
tcp 94.171.196.47:54620 192.168.1.2:54620 195.24.232.203:443 195.24.232.203:443
tcp 94.171.196.47:58664 192.168.1.2:58664 88.221.161.216:443 88.221.161.216:443
tcp 94.171.196.47:1735 192.168.1.11:1735 216.239.59.165:80 216.239.59.165:80
gre 94.171.196.47:2812 192.168.1.16:2812 217.36.231.143:2812 217.36.231.143:2812
tcp 94.171.196.47:51401 192.168.1.16:51401 217.36.231.143:1723 217.36.231.143:1723
tcp 94.171.196.47:51677 192.168.1.16:51677 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51678 192.168.1.16:51678 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51679 192.168.1.16:51679 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51680 192.168.1.16:51680 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51681 192.168.1.16:51681 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51682 192.168.1.16:51682 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51683 192.168.1.16:51683 64.156.132.215:80 64.156.132.215:80
tcp 94.171.196.47:51684 192.168.1.16:51684 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51685 192.168.1.16:51685 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51686 192.168.1.16:51686 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51687 192.168.1.16:51687 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51688 192.168.1.16:51688 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51689 192.168.1.16:51689 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51690 192.168.1.16:51690 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51691 192.168.1.16:51691 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51692 192.168.1.16:51692 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51693 192.168.1.16:51693 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51694 192.168.1.16:51694 64.156.132.140:80 64.156.132.140:80
tcp 94.171.196.47:51695 192.168.1.16:51695 66.235.133.33:80 66.235.133.33:80
gre 94.171.196.47:52329 192.168.1.16:52329 217.36.231.143:52329 217.36.231.143:52329
APR-ROUTER#
APR-ROUTER#
APR-ROUTER#
APR-ROUTER#sh access-list
Extended IP access list 100
10 permit tcp any any established (3634 matches)
20 permit gre any any
30 permit esp any any
40 permit icmp any any
50 permit tcp any eq ftp-data any
60 permit tcp any eq ftp any
70 permit tcp any any eq telnet
80 permit udp any eq domain any (206 matches)
90 permit tcp any eq domain any
100 permit udp any any eq 88
110 permit udp any any eq 3074
120 permit tcp any any eq 3074
130 permit tcp any any eq domain
140 permit udp any any eq domain
150 permit tcp any any eq www
160 permit udp any any eq bootpc (4 matches)
Extended IP access list NAT
10 permit ip 192.168.1.0 0.0.0.255 any (1438 matches)
20 permit tcp any any eq 3074
30 permit udp any any eq 3074
40 permit udp any any eq 88
APR-ROUTER#
Hi,
the config and acl seems good, but try the following:
ip access-list extended 100
no 100 permit udp any any eq 88
no 110 permit udp any any eq 3074
no 120 permit tcp any any eq 3074
1 permit udp any any eq 88
2 permit udp any any eq 3074
3 permit tcp any any eq 3074
the config and acl seems good, but try the following:
ip access-list extended 100
no 100 permit udp any any eq 88
no 110 permit udp any any eq 3074
no 120 permit tcp any any eq 3074
1 permit udp any any eq 88
2 permit udp any any eq 3074
3 permit tcp any any eq 3074
ASKER
I did that but no joy...the xbox wont connect to XB live.
I've pasted the revised ACLs below:
APR-ROUTER#sh access-lists
Extended IP access list 100
1 permit udp any any eq 88
2 permit udp any any eq 3074
3 permit tcp any any eq 3074
10 permit tcp any any established (3786 matches)
20 permit gre any any (7 matches)
30 permit esp any any
40 permit icmp any any
50 permit tcp any eq ftp-data any
60 permit tcp any eq ftp any
70 permit tcp any any eq telnet
80 permit udp any eq domain any (212 matches)
90 permit tcp any eq domain any
130 permit tcp any any eq domain
140 permit udp any any eq domain
150 permit tcp any any eq www
160 permit udp any any eq bootpc (4 matches)
Extended IP access list NAT
10 permit ip 192.168.1.0 0.0.0.255 any (3244 matches)
20 permit tcp any any eq 3074
30 permit udp any any eq 3074
40 permit udp any any eq 88
APR-ROUTER#
I've pasted the revised ACLs below:
APR-ROUTER#sh access-lists
Extended IP access list 100
1 permit udp any any eq 88
2 permit udp any any eq 3074
3 permit tcp any any eq 3074
10 permit tcp any any established (3786 matches)
20 permit gre any any (7 matches)
30 permit esp any any
40 permit icmp any any
50 permit tcp any eq ftp-data any
60 permit tcp any eq ftp any
70 permit tcp any any eq telnet
80 permit udp any eq domain any (212 matches)
90 permit tcp any eq domain any
130 permit tcp any any eq domain
140 permit udp any any eq domain
150 permit tcp any any eq www
160 permit udp any any eq bootpc (4 matches)
Extended IP access list NAT
10 permit ip 192.168.1.0 0.0.0.255 any (3244 matches)
20 permit tcp any any eq 3074
30 permit udp any any eq 3074
40 permit udp any any eq 88
APR-ROUTER#
ACL is not maching...
the xbox is 192.168.1.2?
the xbox is 192.168.1.2?
ASKER
Yes the Xbox is 192.168.1.2
this line is need for xbox
ip nat inside source static udp 192.168.1.2 3330interface Vlan2 3330
ip nat inside source static udp 192.168.1.2 3330interface Vlan2 3330
if it isn't working please put dns:
ip nat inside source static udp 192.168.1.2 53 interface Vlan2 53
ip nat inside source static tcp 192.168.1.2 53 interface Vlan2 53
ip nat inside source static udp 192.168.1.2 53 interface Vlan2 53
ip nat inside source static tcp 192.168.1.2 53 interface Vlan2 53
ASKER
I added that line but no luck. The bottom of my running-config now looks like this:
interface Vlan2
ip address dhcp
ip access-group 100 in
ip nat outside
ip virtual-reassembly
!
interface BVI1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1460
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Vlan2 overload
ip nat inside source static tcp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 88 interface Vlan2 88
ip nat inside source static udp 192.168.1.2 3330 interface Vlan2 3330
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
!
access-list 100 permit udp any any eq 88
access-list 100 permit udp any any eq 3074
access-list 100 permit tcp any any eq 3074
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq bootpc
!
interface Vlan2
ip address dhcp
ip access-group 100 in
ip nat outside
ip virtual-reassembly
!
interface BVI1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1460
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Vlan2 overload
ip nat inside source static tcp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 88 interface Vlan2 88
ip nat inside source static udp 192.168.1.2 3330 interface Vlan2 3330
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
!
access-list 100 permit udp any any eq 88
access-list 100 permit udp any any eq 3074
access-list 100 permit tcp any any eq 3074
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq bootpc
!
ASKER
still no luck. How about the NAT ACL??
you need to add this for acl 100:
access-list 100 permit udp any any eq 3330
access-list 100 permit udp any any eq 3330
ASKER
I added the 3330 line to ACL 100 and ACL NAT but still no luck.
Output from sh run:
ip nat inside source list NAT interface Vlan2 overload
ip nat inside source static tcp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 88 interface Vlan2 88
ip nat inside source static udp 192.168.1.2 3330 interface Vlan2 3330
ip nat inside source static udp 192.168.1.2 53 interface Vlan2 53
ip nat inside source static tcp 192.168.1.2 53 interface Vlan2 53
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
permit udp any eq domain any
permit tcp any eq domain any
permit tcp any any eq www
permit udp any any eq 3330
!
access-list 100 permit udp any any eq 88
access-list 100 permit udp any any eq 3074
access-list 100 permit tcp any any eq 3074
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq bootpc
access-list 100 permit udp any any eq 3330
Output from sh run:
ip nat inside source list NAT interface Vlan2 overload
ip nat inside source static tcp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 88 interface Vlan2 88
ip nat inside source static udp 192.168.1.2 3330 interface Vlan2 3330
ip nat inside source static udp 192.168.1.2 53 interface Vlan2 53
ip nat inside source static tcp 192.168.1.2 53 interface Vlan2 53
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
permit udp any eq domain any
permit tcp any eq domain any
permit tcp any any eq www
permit udp any any eq 3330
!
access-list 100 permit udp any any eq 88
access-list 100 permit udp any any eq 3074
access-list 100 permit tcp any any eq 3074
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq bootpc
access-list 100 permit udp any any eq 3330
ok please disable acl 100
int vlan 2
no acccess-group 100 in
luck?
int vlan 2
no acccess-group 100 in
luck?
ASKER
Yes XB live logs straight in without ACL 100.
One thing I have just noticed is that the router cant ping the Xbox (with or without ACL 100). The router can however ping my laptop (a wireless client). Xbox has a Def GW as the router's IP.
Strange
One thing I have just noticed is that the router cant ping the Xbox (with or without ACL 100). The router can however ping my laptop (a wireless client). Xbox has a Def GW as the router's IP.
Strange
it is working?
ASKER
Yes the Xbox logs into XB live without ACL 100. But I could really do with having an ACL in place so that I'm not open to the world.
I still cant get the router to ping the xbox though (possibly related?)
I still cant get the router to ping the xbox though (possibly related?)
you not opeened but I advise to configure inspect
ASKER
Sorry? Configure inspect?
I'm not sure why but something within ACL100 is blocking XB live.
Also, I cant ping the XB, is that something to do with the console itself?
I can ping all other wireless and wired clients.
XB has Default Gateway set as the router's bvi IP (192.168.1.254).
I'm a bit stumped, but I would like some kind of 'firewall' on my home network.
I'm not sure why but something within ACL100 is blocking XB live.
Also, I cant ping the XB, is that something to do with the console itself?
I can ping all other wireless and wired clients.
XB has Default Gateway set as the router's bvi IP (192.168.1.254).
I'm a bit stumped, but I would like some kind of 'firewall' on my home network.
ACL 100 vloncking something you able to find what cause the problem id you put logging for denied packets:
access-list 100 deny ip any any log
Please refer this guide howto bulid firewall
access-list 100 deny ip any any log
Please refer this guide howto bulid firewall
ASKER
okay, I'll do that when I get home tonight. How do I then view the log file?
Cheers, Andy
Cheers, Andy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need the following:
ip nat inside source static tcp 192.168.1.x 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.x 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.x 88 interface Vlan2 88