XBOX LIVE PORT FORWARDING PIX 501

Answered Question
Oct 13th, 2007

Hi I have a 'moderate' setting on my xbox live for online play.

My network settings are:

dhcp ip from ISP cable modem

Xbox is on wireless bridge the AP has no routing functionality just an AP by linksys.

Static ip on the xbox wireless bridge of 10.0.0.100

udp ports for port 88 and 3074 and tcp port 3074. The following sniipet is from my pix config but i still get moderate versus 'open'

also my pix is bing used as dhcp.

So what have i done wrong from the snippet below?

names

object-group service XBOXLIVE_TCP_PORT tcp

port-object eq 3074

object-group service XBOXLIVE_UDP_PORT udp

port-object eq 88

port-object eq 3074

access-list ACL_OUT permit tcp any host 10.0.0.100 object-group XBOXLIVE_TCP_POR

T

access-list ACL_OUT permit udp any host 10.0.0.100 object-group XBOXLIVE_UDP_POR

T

access-list allow_ping permit icmp any any echo-reply

access-list allow_ping permit icmp any any source-quench

access-list allow_ping permit icmp any any unreachable

access-list outside permit tcp any interface outside eq 3074

access-list outside permit udp any interface outside eq 3074

access-list outside permit udp any interface outside eq 88

pager lines 24

Correct Answer by Collin Clark about 9 years 4 months ago

Your statics must look like this-

static (inside,outside) tcp interface 3074 10.0.0.100 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 10.0.0.100 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 10.0.0.100 88 netmask 255.255.255.255

The keyword interface denotes the outside interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Collin Clark Sun, 10/14/2007 - 03:43

You're missing the NAT translation from your outside IP to your XBox.

static (inside,outside) tcp interface 3074 10.0.0.100 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 10.0.0.100 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 10.0.0.100 88 netmask 255.255.255.255

You will also need to apply the 'outside' ACL to the outside interface.

HTH and please rate.

planzone Sun, 10/14/2007 - 09:15

Ok so what you are saying in regards to the outside interface is that your commands above should also have the following and it "should" work ?

access-list outside permit tcp any interface outside eq 3074

access-list outside permit udp any interface outside eq 3074

access-list outside permit udp any interface outside eq 88

pager lines 24

planzone Sun, 10/14/2007 - 09:59

access-list outside permit tcp any interface outside eq 3074

access-list outside permit udp any interface outside eq 3074

access-list outside permit udp any interface outside eq 88

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3074 10.0.0.100 3074 netmask 255.255.255.2

55 0 0

static (inside,outside) udp interface 3074 10.0.0.100 3074 netmask 255.255.255.2

55 0 0

static (inside,outside) udp interface 88 10.0.0.100 88 netmask 255.255.255.255 0

0

I basically have this in my config now.

also ran cl xlate

and still shows the xbox as 'moderate'

Collin Clark Mon, 10/15/2007 - 05:09

Have you applied the 'outside' ACL to the outside interface?

access-group outside in interface outside

HTH and please rate

planzone Mon, 10/15/2007 - 06:26

I haven't tried this yet.. But i decided to re-write this to clean up just a bit to avoid some confusion as soem of the direction given wa sa bit unclear to me as I am a "green" to configuring pix. I have one in my house to play with a bit and to learn.

Anyhow after looking at this and dicussing a bit with a friend of mine that has a bit more expierience with this then I do. this is what I am going to try this evening and will report back the results as I hope this will help other folks as well:

static (inside,outside) tcp outside 3074 10.0.0.100 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp outside 3074 10.0.0.100 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp outside 88 10.0.0.100 88 netmask 255.255.255.255 0 0

access-list xbox_live permit tcp any outside eq 3074

access-list xbox_live permit udp any outside eq 3074

access-list xbox_live permit udp any outside eq 88

access-group xbox_live in interface outside

notice this time the outside interface is applied. Anyone else have any comments on this? As mentioned I will advise on my results. After I apply this to my config

Correct Answer
Collin Clark Mon, 10/15/2007 - 06:30

Your statics must look like this-

static (inside,outside) tcp interface 3074 10.0.0.100 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 10.0.0.100 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 10.0.0.100 88 netmask 255.255.255.255

The keyword interface denotes the outside interface.

planzone Mon, 10/15/2007 - 07:34

Ahh Ok pardon the ignorance..

So it should looks like this then?:

static (inside,outside) tcp interface 3074 10.0.0.100 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 3074 10.0.0.100 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 88 10.0.0.100 88 netmask 255.255.255.255 0 0

access-list xbox_live permit tcp any outside eq 3074

access-list xbox_live permit udp any outside eq 3074

access-list xbox_live permit udp any outside eq 88

access-group xbox_live in interface outside

planzone Mon, 10/15/2007 - 15:02

Ok this worked! My xbox live test settings now say 'open'

There is one key word I forgot though I will re-write here below I forgot to have the word interface outside (see my correction below in all caps.)

so it should read like so:

static (inside,outside) tcp interface 3074 10.0.0.100 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 3074 10.0.0.100 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 88 10.0.0.100 88 netmask 255.255.255.255 0 0

access-list xbox_live permit tcp any INTERFACE outside eq 3074

access-list xbox_live permit udp any INTERFACE outside eq 3074

access-list xbox_live permit udp any INTERFACE outside eq 88

access-group xbox_live in interface outside

Actions

This Discussion