Configuring Cisco 1841 router for Xbox Live
I'm aware this question has been asked before but my setup is a bit different. I do have two Xbox consoles, one is 360 and the other is One. They won't be played at the same time though.
So what I am looking for is guidance on how to configure the router firewall and/or NAT to ensure the Xbox Live ports are open.
In my setup, I have both consoles in the same VLAN which is labeled VLAN20 and will be connected to the 4port switch module so they will be plugged in ports fa0/1/0 and fa0/1/1. This routes back to the main VLAN and out to the Internet. I have just the default firewall rules applied that only has the customization of allowing DHCP and NTP traffic through since the router is Internet facing.
I have CLI and CCP access to the router and I have been told using CCP is the preferred method for configuring firewall. My goal is to get open NAT for the Xbox consoles. What is the best way to accomplish this?
So what I am looking for is guidance on how to configure the router firewall and/or NAT to ensure the Xbox Live ports are open.
In my setup, I have both consoles in the same VLAN which is labeled VLAN20 and will be connected to the 4port switch module so they will be plugged in ports fa0/1/0 and fa0/1/1. This routes back to the main VLAN and out to the Internet. I have just the default firewall rules applied that only has the customization of allowing DHCP and NTP traffic through since the router is Internet facing.
I have CLI and CCP access to the router and I have been told using CCP is the preferred method for configuring firewall. My goal is to get open NAT for the Xbox consoles. What is the best way to accomplish this?
AlexBlinov
Which port you want to open for the xbox?
Do you have both on fixed IPs?
Would you be OK with a DMZ for consoles only?
Would you be OK with a DMZ for consoles only?
ASKER
Thanks for the replies. The ports to be open I believe are 53 both, 80 tcp, 88 both, 3074 both
ASKER
Sorry on mobile and hit submit prematurely. The ports I need are at this link
http://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live
The consoles are on dhcp but I can configure static or dhcp reservation. They are on a 10.0.2.0/29 subnet so I can given the 360 and One 10.0.2.2 for fa0/1/0 and 10.0.2.3 for fa0/1/1 respectively. That vlan routed through 10.0.0.0/29 and to Internet. The router ip is 10.0.0.1 on fa0/1 and it gets dhcp from Isp on fa0/0.
http://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live
The consoles are on dhcp but I can configure static or dhcp reservation. They are on a 10.0.2.0/29 subnet so I can given the 360 and One 10.0.2.2 for fa0/1/0 and 10.0.2.3 for fa0/1/1 respectively. That vlan routed through 10.0.0.0/29 and to Internet. The router ip is 10.0.0.1 on fa0/1 and it gets dhcp from Isp on fa0/0.
ASKER
Sorry for the last part, yes dmz is ok for the consoles.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok thanks. I will try these tonight. Just to confirm, the interface does need to be set as fa0/1 instead of fa0/1/0 and fa0/1/1?
Fast Ethernet fa0/1 (the ADSL-WAN) interface
ASKER
Well you were correct, even with the ip nat entries Xbox One still showed up as Strict Nat. I tried adding it to DMZ and it also still shows up as Strict and the connection does not work. So I'm still misconfiguring it somewhere.
I'm going to skip the 360 and just focus on getting One to work. I'm having trouble finding help online on how to properly configure it for DMZ. Do I need to have the NAT entries above in addition to having the Xbox One in the DMZ?
I'm going to skip the 360 and just focus on getting One to work. I'm having trouble finding help online on how to properly configure it for DMZ. Do I need to have the NAT entries above in addition to having the Xbox One in the DMZ?
ASKER
Well a quick update. I restarted the 1841 and discarded my changes from this. After reboot, I reentered the commands above. Now the Xbox One shows Moderate instead of Strict which is good. I have no idea how though. I just realized, I am double nat'ed in my network due the way the Internet is provided. This is beyond my control so Moderate is the best I can do until I get a new ISP.
I can't seem to have both IPs for 360 and One routed to the same ports for WAN interface. When I do a show ip nat translation after entering them they are overwriting each other.
I can't seem to have both IPs for 360 and One routed to the same ports for WAN interface. When I do a show ip nat translation after entering them they are overwriting each other.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok I will try merging the rules and making them same ip. As far as I know there isn't any Mac filtering active since I used to have another router hooked up initially before replacing with the Cisco and it still connected.
I didn't realize that fa0/1 was supposed to be the wan interface. That means I may have to redo a lot of my setup since right now it is the opposite. So if I change fa0/1 to be wan facing, does that change the vlan switch ports as well such as instead of fa0/1/0 it would become fa0/0/0?
I wrote the rules above to point the ports from Xbox ip to fa0/0.
Another thought occurs, is it possible to write the rule like this and keep both xboxes with theirs individual ips?
ip nat in source static tcp int vlan20 53 int fa0/0 53
I didn't realize that fa0/1 was supposed to be the wan interface. That means I may have to redo a lot of my setup since right now it is the opposite. So if I change fa0/1 to be wan facing, does that change the vlan switch ports as well such as instead of fa0/1/0 it would become fa0/0/0?
I wrote the rules above to point the ports from Xbox ip to fa0/0.
Another thought occurs, is it possible to write the rule like this and keep both xboxes with theirs individual ips?
ip nat in source static tcp int vlan20 53 int fa0/0 53
Interface fa0/1 does not need to be WAN, I was just pointing that port that is WAN should be set instead of Fa0/1.
If your WAN interface is Fa0/0 that command would be
ip nat inside source static udp 10.0.2.3 4500 interface fastethernet 0/0 4500
that's all I tried to say.
And rule is for individual IPs.
If your WAN interface is Fa0/0 that command would be
ip nat inside source static udp 10.0.2.3 4500 interface fastethernet 0/0 4500
that's all I tried to say.
And rule is for individual IPs.
ASKER
Gotcha. Yeah that was what I did when entering the rules I specified fa0/0. I do have moderate nat now instead of strict.
I will review this one more time this evening and wrap up. So the thought above with specifying vlan20 won't work?
I will review this one more time this evening and wrap up. So the thought above with specifying vlan20 won't work?
Port forward - forwards traffic from port to specific destination. It is not multicast traffic, so destination host must be configured (can't just tune into frequency). :)
ASKER
Ah ok thanks for letting me know. I will wrap this up tonight then. Thanks!
ASKER
After further reading it appears to be common behavior for the Xbox One to fluctuate with Moderate and Strict NAT. Like MASQ said, double nat'ing is scourge so this is indeed as good as it gets with the port forwarding. I'm not gonna bother with DMZ since it will get same result. If anything, I learned more about Cisco IOS.