01-18-2008 05:15 PM - edited 03-11-2019 04:50 AM
Greetings all! This is sort of elementary for everyone (and may be silly, once you hear what I'm doing...) but I'm stumped.
Here's what I've got:
- ASA5505
- Xbox LIVE service: 88 UDP & 3074 TCP-UDP
I've searched around these forums and found help, but they were geared more towards the PIX 501. Anyways, here's what I've done:
- setup my xbox to a static IP (192.168.1.200)
- entered a service group with the above mentioned ports for both UDP and TCP
- created 3 NAT rules for those ports to go straight to the Xbox.
- added the xbox to a ACL so that those ports come into the Xbox
What I get, when testing, is this:
4 Jan 18 2008 20:01:18 106023 65.59.234.162 72.12.119.218 Deny udp src outside:65.59.234.162/55619 dst inside:72.12.119.218/3074 by access-group "outside_access_in" [0x0, 0x0]
In the "outside_access_in" group, I have:
1 True any Xbox360 Xbox_LIVE Permit Default
I'm not sure why, but the packets, when coming back inside, are being denied. I'm using ASDM to set this up and I know a lot of you like the command line. If any of you can offer any help, I can run a command using command line and give you any outputs.
Thanks for any help my friends.
CH
Solved! Go to Solution.
01-19-2008 07:07 AM
Do you have the source ip's of xbox live?
Sorry, the Xbox_LIVE object group needs to be the destination port.
access-list outside_access_in extended permit udp any interface outside eq 88
access-list outside_access_in extended permit udp any interface outside eq 3074
access-list outside_access_in extended permit tcp any interface outside eq 3074
01-18-2008 06:22 PM
post a...
show run nat
show run access-list outside_access_in
01-18-2008 06:40 PM
show run nat:
"nat (inside) 1 0.0.0.0 0.0.0.0"
show run access-list outside_access_in:
"access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360"
Thanks!
01-19-2008 05:55 AM
Sorry I meant show run static. Why don't you just post a sanitized/cleaned config.
show run
01-19-2008 06:21 AM
show run static:
static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255
static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255
static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns
show run:
: Saved
:
ASA Version 8.0(3)
!
hostname greylock
domain-name ch.local
enable password RONX1BXdqaFcKwP9 encrypted
names
name 192.168.1.200 Xbox360
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.169 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DSL
ip address pppoe setroute
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/newstuff/asa803.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name interknox.net
object-group service Xbox_LIVE
service-object udp source eq 88 eq 88
service-object tcp-udp source eq 3074 eq 3074
access-list inside_access_in extended permit ip host Xbox360 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360
pager lines 24
logging enable
logging asdm warnings
logging from-address email@interknox.net
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/newstuff/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255
static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255
static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.152.211.86 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group DSL request dialout pppoe
vpdn group DSL localname my dsl email
vpdn group DSL ppp authentication pap
vpdn username my email password *********
dhcpd auto_config outside
!
dhcpd address 192.168.1.125-192.168.1.150 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
ntp server 131.107.13.100 source outside
ntp server 129.6.15.29 source outside
ntp server 129.6.15.28 source outside prefer
username chris password TYGBt4.L24KH1.mU encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1d79690fe1b4b7246c3a87153b23040b
: end
NOTE: I cut out some of the "interfaces" because of message length restrictions on the forums. Other interfaces aren't in use, FYI.
Thanks again.
01-19-2008 06:42 AM
Your access list is not correct.
access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360
should be...
access-list outside_access_in extended permit object-group Xbox_LIVE any interface outside
or
access-list outside_access_in extended permit object-group Xbox_LIVE any host
01-19-2008 06:57 AM
Okay, using ASDM, it went from this:
access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360
to...
access-list outside_access_in extended permit object-group Xbox_LIVE any any
and it still blocks UDP ports (from log):
4 Jan 19 2008 09:48:27 106023 65.59.234.162 72.12.119.28 Deny udp src outside:65.59.234.162/43971 dst inside:72.12.119.28/3074 by access-group "outside_access_in" [0x0, 0x0]
01-19-2008 07:07 AM
Do you have the source ip's of xbox live?
Sorry, the Xbox_LIVE object group needs to be the destination port.
access-list outside_access_in extended permit udp any interface outside eq 88
access-list outside_access_in extended permit udp any interface outside eq 3074
access-list outside_access_in extended permit tcp any interface outside eq 3074
01-19-2008 07:52 AM
Okay, it's working now and I found that there were 2 problems. One problem ended up being that the Xbox_Live group's ports had the source/destination as the same thing, instead of "default" for the source. For instance, I had:
destination: udp 3074
source: udp 3074
When in fact, Xbox LIVE service doesn't use those ports at the source, so the ACL was blocking it. I changed it do:
destination: udp 3074
source: default
Second, like you said, my outside_access_in group listed my destination as my Xbox360, when in fact that won't work, as that device is using a private IP, behind the firewall.
I changed both these things and it now works like a champ!!!
Thanks again for all your help. I'll be sure to rate/vote whatever for you anytime.
CH
01-19-2008 09:58 AM
Happy gaming!~
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: