Cisco 877w Xbox Live

andrewprouse
andrewprouse used Ask the Experts™
on
I'm having an issue trying to get my Xbox 360 to work on Xbox live with my Cisco 877w router.  I have a Virgin Cable Modem plugged into FA0 (Vlan2) and Access List 100 applied inbound on Vlan 2.  When Access List 100 is in effect the xbox wont connect to xbox live, but when I remove it the xbox will connect.  

Although the Xbox connects when I remove the inbound ACL, I am getting messages on the Xbox saying that I need an 'open NAT configuration' for the best online experience and it mentions enabling UPnP.  Any ideas???

From what I've read you've just got to allow ports 1307TCP, 1307UDP and 88UDP to and from the xbox.

Any ideas how I can get the Xbox working properly through my 877??

(my xbox is on dhcp)

cheers, Andy





Current configuration : 2942 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname APR-ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$gog2$lnvp0nLZSye1ep6JBcvQT/
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid PANDY & BERRY
 authentication open
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 0 12345665432112345665432112
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.40 192.168.1.254
!
ip dhcp pool POOL_V1
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 208.67.222.222
   lease 0 12
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers tkip
 !
 ssid PANDY & BERRY
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 bridge-group 1
!
interface Vlan2
 ip address dhcp
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
!
interface BVI1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Vlan2 overload
!
ip access-list extended NAT
 permit ip 192.168.1.0 0.0.0.255 any
 permit tcp any any eq 3074
 permit udp any any eq 3074
 permit udp any any eq 88
!
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit udp any any eq 88
access-list 100 permit udp any any eq 3074
access-list 100 permit tcp any any eq 3074
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq bootpc
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 password !xper1a!
 logging synchronous
 login
 terminal-type mon
!
scheduler max-task-time 5000
end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

You need the following:


ip nat inside source static tcp 192.168.1.x 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.x 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.x 88 interface Vlan2 88
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
and after write and reload the router....

Author

Commented:
Do I have to assign a static IP to the Xbox?  Then would the ip 192.168.1.x be the Xbox IP?

Cheers, Andy
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I assigned 192.168.1.2 to the xbox and pasted those 3 lines in that you recommended (abviously replacing .x with .2) into the router then reloaded the router. Thing is, the xbox now wont connect to XB Live (with ACL 100 in place).

Any ideas?
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
please show us the following:

sh ip nat trans
sh access-list

Author

Commented:
sorry for the delay...

APR-ROUTER#sh ip nat trans
Pro Inside global         Inside local          Outside local         Outside global
udp 94.171.196.47:88      192.168.1.2:88        ---                   ---
tcp 94.171.196.47:3074    192.168.1.2:3074      ---                   ---
udp 94.171.196.47:3074    192.168.1.2:3074      ---                   ---
tcp 94.171.196.47:5780    192.168.1.2:5780      88.221.84.19:80       88.221.84.19:80
tcp 94.171.196.47:10714   192.168.1.2:10714     88.221.161.216:443    88.221.161.216:443
tcp 94.171.196.47:11000   192.168.1.2:11000     88.221.84.19:80       88.221.84.19:80
tcp 94.171.196.47:15154   192.168.1.2:15154     88.221.84.19:80       88.221.84.19:80
tcp 94.171.196.47:16495   192.168.1.2:16495     195.24.232.134:80     195.24.232.134:80
tcp 94.171.196.47:18163   192.168.1.2:18163     195.24.232.207:443    195.24.232.207:443
tcp 94.171.196.47:24051   192.168.1.2:24051     87.248.211.232:80     87.248.211.232:80
tcp 94.171.196.47:24497   192.168.1.2:24497     88.221.84.11:80       88.221.84.11:80
tcp 94.171.196.47:26928   192.168.1.2:26928     87.248.211.225:80     87.248.211.225:80
tcp 94.171.196.47:27038   192.168.1.2:27038     88.221.84.40:80       88.221.84.40:80
tcp 94.171.196.47:37581   192.168.1.2:37581     195.24.233.53:443     195.24.233.53:443
tcp 94.171.196.47:40062   192.168.1.2:40062     82.96.58.9:80         82.96.58.9:80
tcp 94.171.196.47:44625   192.168.1.2:44625     88.221.84.40:80       88.221.84.40:80
tcp 94.171.196.47:48801   192.168.1.2:48801     88.221.84.11:80       88.221.84.11:80
tcp 94.171.196.47:54620   192.168.1.2:54620     195.24.232.203:443    195.24.232.203:443
tcp 94.171.196.47:58664   192.168.1.2:58664     88.221.161.216:443    88.221.161.216:443
tcp 94.171.196.47:1735    192.168.1.11:1735     216.239.59.165:80     216.239.59.165:80
gre 94.171.196.47:2812    192.168.1.16:2812     217.36.231.143:2812   217.36.231.143:2812
tcp 94.171.196.47:51401   192.168.1.16:51401    217.36.231.143:1723   217.36.231.143:1723
tcp 94.171.196.47:51677   192.168.1.16:51677    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51678   192.168.1.16:51678    64.156.132.215:80     64.156.132.215:80
tcp 94.171.196.47:51679   192.168.1.16:51679    64.156.132.215:80     64.156.132.215:80
tcp 94.171.196.47:51680   192.168.1.16:51680    64.156.132.215:80     64.156.132.215:80
tcp 94.171.196.47:51681   192.168.1.16:51681    64.156.132.215:80     64.156.132.215:80
tcp 94.171.196.47:51682   192.168.1.16:51682    64.156.132.215:80     64.156.132.215:80
tcp 94.171.196.47:51683   192.168.1.16:51683    64.156.132.215:80     64.156.132.215:80
tcp 94.171.196.47:51684   192.168.1.16:51684    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51685   192.168.1.16:51685    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51686   192.168.1.16:51686    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51687   192.168.1.16:51687    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51688   192.168.1.16:51688    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51689   192.168.1.16:51689    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51690   192.168.1.16:51690    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51691   192.168.1.16:51691    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51692   192.168.1.16:51692    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51693   192.168.1.16:51693    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51694   192.168.1.16:51694    64.156.132.140:80     64.156.132.140:80
tcp 94.171.196.47:51695   192.168.1.16:51695    66.235.133.33:80      66.235.133.33:80
gre 94.171.196.47:52329   192.168.1.16:52329    217.36.231.143:52329  217.36.231.143:52329
APR-ROUTER#
APR-ROUTER#
APR-ROUTER#
APR-ROUTER#sh access-list
Extended IP access list 100
    10 permit tcp any any established (3634 matches)
    20 permit gre any any
    30 permit esp any any
    40 permit icmp any any
    50 permit tcp any eq ftp-data any
    60 permit tcp any eq ftp any
    70 permit tcp any any eq telnet
    80 permit udp any eq domain any (206 matches)
    90 permit tcp any eq domain any
    100 permit udp any any eq 88
    110 permit udp any any eq 3074
    120 permit tcp any any eq 3074
    130 permit tcp any any eq domain
    140 permit udp any any eq domain
    150 permit tcp any any eq www
    160 permit udp any any eq bootpc (4 matches)
Extended IP access list NAT
    10 permit ip 192.168.1.0 0.0.0.255 any (1438 matches)
    20 permit tcp any any eq 3074
    30 permit udp any any eq 3074
    40 permit udp any any eq 88
APR-ROUTER#
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,


the config and acl seems good, but try the following:

ip access-list extended 100

no 100 permit udp any any eq 88
no 110 permit udp any any eq 3074
no 120 permit tcp any any eq 3074
1 permit udp any any eq 88
2 permit udp any any eq 3074
3 permit tcp any any eq 3074

Author

Commented:
I did that but no joy...the xbox wont connect to XB live.

I've pasted the revised ACLs below:

APR-ROUTER#sh access-lists
Extended IP access list 100
    1 permit udp any any eq 88
    2 permit udp any any eq 3074
    3 permit tcp any any eq 3074
    10 permit tcp any any established (3786 matches)
    20 permit gre any any (7 matches)
    30 permit esp any any
    40 permit icmp any any
    50 permit tcp any eq ftp-data any
    60 permit tcp any eq ftp any
    70 permit tcp any any eq telnet
    80 permit udp any eq domain any (212 matches)
    90 permit tcp any eq domain any
    130 permit tcp any any eq domain
    140 permit udp any any eq domain
    150 permit tcp any any eq www
    160 permit udp any any eq bootpc (4 matches)
Extended IP access list NAT
    10 permit ip 192.168.1.0 0.0.0.255 any (3244 matches)
    20 permit tcp any any eq 3074
    30 permit udp any any eq 3074
    40 permit udp any any eq 88
APR-ROUTER#
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
ACL is not maching...

the xbox is 192.168.1.2?

Author

Commented:
Yes the Xbox is 192.168.1.2
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
this line is need for xbox

ip nat inside source static udp 192.168.1.2 3330interface Vlan2 3330
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
if it isn't working please put dns:

ip nat inside source static udp 192.168.1.2 53 interface Vlan2 53
ip nat inside source static tcp 192.168.1.2 53 interface Vlan2 53

Author

Commented:
I added that line but no luck.  The bottom of my running-config now looks like this:

interface Vlan2
 ip address dhcp
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
!
interface BVI1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Vlan2 overload
ip nat inside source static tcp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 88 interface Vlan2 88
ip nat inside source static udp 192.168.1.2 3330 interface Vlan2 3330
!
ip access-list extended NAT
 permit ip 192.168.1.0 0.0.0.255 any
 permit tcp any any eq 3074
 permit udp any any eq 3074
 permit udp any any eq 88
!
access-list 100 permit udp any any eq 88
access-list 100 permit udp any any eq 3074
access-list 100 permit tcp any any eq 3074
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq bootpc
!

Author

Commented:
still no luck.  How about the NAT ACL??
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
you need to add this for acl 100:

access-list 100 permit udp any any eq 3330

Author

Commented:
I added the 3330 line to ACL 100 and ACL NAT but still no luck.

Output from sh run:

ip nat inside source list NAT interface Vlan2 overload
ip nat inside source static tcp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 3074 interface Vlan2 3074
ip nat inside source static udp 192.168.1.2 88 interface Vlan2 88
ip nat inside source static udp 192.168.1.2 3330 interface Vlan2 3330
ip nat inside source static udp 192.168.1.2 53 interface Vlan2 53
ip nat inside source static tcp 192.168.1.2 53 interface Vlan2 53
!
ip access-list extended NAT
 permit ip 192.168.1.0 0.0.0.255 any
 permit tcp any any eq 3074
 permit udp any any eq 3074
 permit udp any any eq 88
 permit udp any eq domain any
 permit tcp any eq domain any
 permit tcp any any eq www
 permit udp any any eq 3330
!
access-list 100 permit udp any any eq 88
access-list 100 permit udp any any eq 3074
access-list 100 permit tcp any any eq 3074
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq bootpc
access-list 100 permit udp any any eq 3330
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
ok please disable acl 100

int vlan 2
 no acccess-group 100 in

luck?

Author

Commented:
Yes XB live logs straight in without ACL 100.  

One thing I have just noticed is that the router cant ping the Xbox (with or without ACL 100).  The router can however ping my laptop (a wireless client).  Xbox has a Def GW as the router's IP.

Strange
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
it is working?

Author

Commented:
Yes the Xbox logs into XB live without ACL 100.  But I could really do with having an ACL in place so that I'm not open to the world.

I still cant get the router to ping the xbox though (possibly related?)
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
you not opeened but I advise to configure inspect

Author

Commented:
Sorry?  Configure inspect?

I'm not sure why but something within ACL100 is blocking XB live.

Also, I cant ping the XB, is that something to do with the console itself?

I can ping all other wireless and wired clients.

XB has Default Gateway set as the router's bvi IP (192.168.1.254).

I'm a bit stumped, but I would like some kind of 'firewall' on my home network.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
ACL 100 vloncking something you able to find what cause the problem id you put logging for denied packets:

access-list 100 deny ip any any log


Please refer this guide howto bulid firewall

Author

Commented:
okay, I'll do that when I get home tonight.  How do I then view the log file?

Cheers, Andy
Head of IT Security Division
Top Expert 2010
Commented:
sh log

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial