show run nat:

"nat (inside) 1 0.0.0.0 0.0.0.0"

show run access-list outside_access_in:

"access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360"

Thanks!

Sorry I meant show run static. Why don't you just post a sanitized/cleaned config.

show run

show run static:

static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns

show run:

: Saved

:

ASA Version 8.0(3)

!

hostname greylock

domain-name ch.local

enable password RONX1BXdqaFcKwP9 encrypted

names

name 192.168.1.200 Xbox360

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.169 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group DSL

ip address pppoe setroute

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/newstuff/asa803.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-name interknox.net

object-group service Xbox_LIVE

service-object udp source eq 88 eq 88

service-object tcp-udp source eq 3074 eq 3074

access-list inside_access_in extended permit ip host Xbox360 any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

pager lines 24

logging enable

logging asdm warnings

logging from-address email@interknox.net

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/newstuff/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 68.152.211.86 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

vpdn group DSL request dialout pppoe

vpdn group DSL localname my dsl email

vpdn group DSL ppp authentication pap

vpdn username my email password *********

dhcpd auto_config outside

!

dhcpd address 192.168.1.125-192.168.1.150 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

ntp server 131.107.13.100 source outside

ntp server 129.6.15.29 source outside

ntp server 129.6.15.28 source outside prefer

username chris password TYGBt4.L24KH1.mU encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1d79690fe1b4b7246c3a87153b23040b

: end

NOTE: I cut out some of the "interfaces" because of message length restrictions on the forums. Other interfaces aren't in use, FYI.

Thanks again.

Your access list is not correct.

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

should be...

access-list outside_access_in extended permit object-group Xbox_LIVE any interface outside

or

access-list outside_access_in extended permit object-group Xbox_LIVE any host

Okay, using ASDM, it went from this:

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

to...

access-list outside_access_in extended permit object-group Xbox_LIVE any any

and it still blocks UDP ports (from log):

4 Jan 19 2008 09:48:27 106023 65.59.234.162 72.12.119.28 Deny udp src outside:65.59.234.162/43971 dst inside:72.12.119.28/3074 by access-group "outside_access_in" [0x0, 0x0]

Okay, it's working now and I found that there were 2 problems. One problem ended up being that the Xbox_Live group's ports had the source/destination as the same thing, instead of "default" for the source. For instance, I had:

destination: udp 3074

source: udp 3074

When in fact, Xbox LIVE service doesn't use those ports at the source, so the ACL was blocking it. I changed it do:

destination: udp 3074

source: default

Second, like you said, my outside_access_in group listed my destination as my Xbox360, when in fact that won't work, as that device is using a private IP, behind the firewall.

I changed both these things and it now works like a champ!!!

Thanks again for all your help. I'll be sure to rate/vote whatever for you anytime.

CH

Happy gaming!~