Help with Cisco 877 NAT rule

Unanswered Question
Dec 5th, 2008


I have a Cisco 877 which I use for work. I now have an Xbox 360 and I need to add a few NAT's and permits to my access lists to allow the Xbox to work properly over the Internet, simple home routers just need UPnP enable, I found this article which is for the Pix, what is the equivilent for an 877?

Bottom of page -

My Xbox IP is and I have added the following but get errors, my Xbox gets a moderate NAT rating:

ip nat inside source static tcp 3074 interface Dialer1 3074

ip nat inside source static udp 3074 interface Dialer1 3074

ip nat inside source static udp 88 interface Dialer1 88

interface Dialer1

description Outside

ip access-group 101 in

access-list 101 permit udp any any eq 3074 log

access-list 101 permit udp any any eq 88 log

access-list 101 permit tcp any any eq 3074 log

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Fri, 12/05/2008 - 11:54

It looks right. You could try to remove the ports from the nat statements:

ip nat inside source static interface dialer1

Are you getting any hits on the ACLs? I don't have an XBox, so I'm just doing this by the way I normally do NAT.



whiteford Fri, 12/05/2008 - 12:01

Just got this hit, when I ran a connection test from the Xbox menu:

Dec 5 20:00:26.627: %SEC-6-IPACCESSLOGP: list 101 permitted udp ->, 7 packets


Extended IP access list 101

91 permit udp any any eq 3074 log (24 matches)

92 permit udp any any eq 88 log

93 permit tcp any any eq 3074 log

I use IP Inspects, are these my outbpound rules?

ip inspect name outbound tcp router-traffic

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

ip inspect name outbound cuseeme

ip inspect name outbound dns

ip inspect name outbound h323

ip inspect name outbound https

ip inspect name outbound imap

ip inspect name outbound pop3

ip inspect name outbound netshow

ip inspect name outbound rcmd

ip inspect name outbound realaudio

ip inspect name outbound rtsp

ip inspect name outbound esmtp

ip inspect name outbound sqlnet

ip inspect name outbound streamworks

ip inspect name outbound tftp

ip inspect name outbound vdolive

John Blakley Fri, 12/05/2008 - 12:19

Yes they are. You're seeing, and allowing, the traffic back in. The inspects allow traffic out, and create a stateful connection outbound.You can take your inspects off of the public interface (no ip inspect outbound out)(or whatever direction it is), and see if that helps. The xbox may be trying to go out other ports that aren't explicitly being allowed out, and they're being blocked. You may be able to do a sh ip inspect session to see what's being blocked when you do your test.



whiteford Fri, 12/05/2008 - 12:24

Let me try this, some articles mention putting the xbox in the routers DMZ, many "home" routers allows this option, what would this be on my router, sounds like an ip any any rule each way to

here is is

Session 83A80758 (>( udp SIS_OPEN

Session 83A897F8 (>( udp SIS_OPEN

Session 83A84750 (>( udp SIS_OPEN

Session 83A80490 (>( udp SIS_OPEN is my laptop... strange

John Blakley Fri, 12/05/2008 - 12:25

You would probably want to create a vlan for your device, and this would serve as your dmz.




This Discussion