ASA5505 "outside_access_in" blocking UDP

Answered Question
Jan 18th, 2008
User Badges:

Greetings all! This is sort of elementary for everyone (and may be silly, once you hear what I'm doing...) but I'm stumped.


Here's what I've got:


- ASA5505

- Xbox LIVE service: 88 UDP & 3074 TCP-UDP


I've searched around these forums and found help, but they were geared more towards the PIX 501. Anyways, here's what I've done:


- setup my xbox to a static IP (192.168.1.200)

- entered a service group with the above mentioned ports for both UDP and TCP

- created 3 NAT rules for those ports to go straight to the Xbox.

- added the xbox to a ACL so that those ports come into the Xbox


What I get, when testing, is this:


4 Jan 18 2008 20:01:18 106023 65.59.234.162 72.12.119.218 Deny udp src outside:65.59.234.162/55619 dst inside:72.12.119.218/3074 by access-group "outside_access_in" [0x0, 0x0]


In the "outside_access_in" group, I have:


1 True any Xbox360 Xbox_LIVE Permit Default


I'm not sure why, but the packets, when coming back inside, are being denied. I'm using ASDM to set this up and I know a lot of you like the command line. If any of you can offer any help, I can run a command using command line and give you any outputs.


Thanks for any help my friends.


CH

Correct Answer by acomiskey about 9 years 4 months ago

Do you have the source ip's of xbox live?


Sorry, the Xbox_LIVE object group needs to be the destination port.


access-list outside_access_in extended permit udp any interface outside eq 88

access-list outside_access_in extended permit udp any interface outside eq 3074

access-list outside_access_in extended permit tcp any interface outside eq 3074

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 01/18/2008 - 18:22
User Badges:
  • Green, 3000 points or more

post a...


show run nat

show run access-list outside_access_in



interknox Fri, 01/18/2008 - 18:40
User Badges:

show run nat:


"nat (inside) 1 0.0.0.0 0.0.0.0"


show run access-list outside_access_in:


"access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360"


Thanks!

acomiskey Sat, 01/19/2008 - 05:55
User Badges:
  • Green, 3000 points or more

Sorry I meant show run static. Why don't you just post a sanitized/cleaned config.


show run

interknox Sat, 01/19/2008 - 06:21
User Badges:

show run static:


static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns


show run:


: Saved

:

ASA Version 8.0(3)

!

hostname greylock

domain-name ch.local

enable password RONX1BXdqaFcKwP9 encrypted

names

name 192.168.1.200 Xbox360

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.169 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group DSL

ip address pppoe setroute

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/newstuff/asa803.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-name interknox.net

object-group service Xbox_LIVE

service-object udp source eq 88 eq 88

service-object tcp-udp source eq 3074 eq 3074

access-list inside_access_in extended permit ip host Xbox360 any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

pager lines 24

logging enable

logging asdm warnings

logging from-address [email protected]

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/newstuff/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 68.152.211.86 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

vpdn group DSL request dialout pppoe

vpdn group DSL localname my dsl email

vpdn group DSL ppp authentication pap

vpdn username my email password *********

dhcpd auto_config outside

!

dhcpd address 192.168.1.125-192.168.1.150 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

dhcpd enable inside

!


threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

ntp server 131.107.13.100 source outside

ntp server 129.6.15.29 source outside

ntp server 129.6.15.28 source outside prefer

username chris password TYGBt4.L24KH1.mU encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1d79690fe1b4b7246c3a87153b23040b

: end


NOTE: I cut out some of the "interfaces" because of message length restrictions on the forums. Other interfaces aren't in use, FYI.


Thanks again.

acomiskey Sat, 01/19/2008 - 06:42
User Badges:
  • Green, 3000 points or more

Your access list is not correct.


access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360


should be...


access-list outside_access_in extended permit object-group Xbox_LIVE any interface outside


or


access-list outside_access_in extended permit object-group Xbox_LIVE any host

interknox Sat, 01/19/2008 - 06:57
User Badges:

Okay, using ASDM, it went from this:


access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360


to...


access-list outside_access_in extended permit object-group Xbox_LIVE any any


and it still blocks UDP ports (from log):


4 Jan 19 2008 09:48:27 106023 65.59.234.162 72.12.119.28 Deny udp src outside:65.59.234.162/43971 dst inside:72.12.119.28/3074 by access-group "outside_access_in" [0x0, 0x0]

Correct Answer
acomiskey Sat, 01/19/2008 - 07:07
User Badges:
  • Green, 3000 points or more

Do you have the source ip's of xbox live?


Sorry, the Xbox_LIVE object group needs to be the destination port.


access-list outside_access_in extended permit udp any interface outside eq 88

access-list outside_access_in extended permit udp any interface outside eq 3074

access-list outside_access_in extended permit tcp any interface outside eq 3074

interknox Sat, 01/19/2008 - 07:52
User Badges:

Okay, it's working now and I found that there were 2 problems. One problem ended up being that the Xbox_Live group's ports had the source/destination as the same thing, instead of "default" for the source. For instance, I had:


destination: udp 3074

source: udp 3074


When in fact, Xbox LIVE service doesn't use those ports at the source, so the ACL was blocking it. I changed it do:


destination: udp 3074

source: default


Second, like you said, my outside_access_in group listed my destination as my Xbox360, when in fact that won't work, as that device is using a private IP, behind the firewall.


I changed both these things and it now works like a champ!!!


Thanks again for all your help. I'll be sure to rate/vote whatever for you anytime.


CH

Actions

This Discussion