12-05-2008 11:00 AM - edited 03-11-2019 07:21 AM
Hi,
I have a Cisco 877 which I use for work. I now have an Xbox 360 and I need to add a few NAT's and permits to my access lists to allow the Xbox to work properly over the Internet, simple home routers just need UPnP enable, I found this article which is for the Pix, what is the equivilent for an 877?
Bottom of page - http://www.xboxlivetheguide.co.uk/XBoxLiveTheGuide3.php?title=My%20NAT%20Setting%20is%20Strict/Moderate%20what%20can%20I%20do
My Xbox IP is 192.168.2.99 and I have added the following but get errors, my Xbox gets a moderate NAT rating:
ip nat inside source static tcp 192.168.200.99 3074 interface Dialer1 3074
ip nat inside source static udp 192.168.200.99 3074 interface Dialer1 3074
ip nat inside source static udp 192.168.200.99 88 interface Dialer1 88
interface Dialer1
description Outside
ip access-group 101 in
access-list 101 permit udp any any eq 3074 log
access-list 101 permit udp any any eq 88 log
access-list 101 permit tcp any any eq 3074 log
12-05-2008 11:54 AM
It looks right. You could try to remove the ports from the nat statements:
ip nat inside source static 192.168.200.99 interface dialer1
Are you getting any hits on the ACLs? I don't have an XBox, so I'm just doing this by the way I normally do NAT.
HTH,
John
12-05-2008 12:01 PM
Just got this hit, when I ran a connection test from the Xbox menu:
Dec 5 20:00:26.627: %SEC-6-IPACCESSLOGP: list 101 permitted udp 65.55.42.131(3330) -> 90.205.5.1(3074), 7 packets
also:
Extended IP access list 101
91 permit udp any any eq 3074 log (24 matches)
92 permit udp any any eq 88 log
93 permit tcp any any eq 3074 log
I use IP Inspects, are these my outbpound rules?
ip inspect name outbound tcp router-traffic
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound http
ip inspect name outbound icmp
ip inspect name outbound cuseeme
ip inspect name outbound dns
ip inspect name outbound h323
ip inspect name outbound https
ip inspect name outbound imap
ip inspect name outbound pop3
ip inspect name outbound netshow
ip inspect name outbound rcmd
ip inspect name outbound realaudio
ip inspect name outbound rtsp
ip inspect name outbound esmtp
ip inspect name outbound sqlnet
ip inspect name outbound streamworks
ip inspect name outbound tftp
ip inspect name outbound vdolive
12-05-2008 12:19 PM
Yes they are. You're seeing, and allowing, the traffic back in. The inspects allow traffic out, and create a stateful connection outbound.You can take your inspects off of the public interface (no ip inspect outbound out)(or whatever direction it is), and see if that helps. The xbox may be trying to go out other ports that aren't explicitly being allowed out, and they're being blocked. You may be able to do a sh ip inspect session to see what's being blocked when you do your test.
HTH,
John
12-05-2008 12:24 PM
Let me try this, some articles mention putting the xbox in the routers DMZ, many "home" routers allows this option, what would this be on my router, sounds like an ip any any rule each way to 192.168.2.99?
here is is
Session 83A80758 (192.168.2.12:1258)=>(65.55.42.117:3074) udp SIS_OPEN
Session 83A897F8 (192.168.2.12:1259)=>(65.55.42.117:3074) udp SIS_OPEN
Session 83A84750 (192.168.2.12:1257)=>(65.55.42.132:88) udp SIS_OPEN
Session 83A80490 (192.168.2.12:3074)=>(65.55.42.131:3074) udp SIS_OPEN
192.168.2.12 is my laptop... strange
12-05-2008 12:25 PM
You would probably want to create a vlan for your device, and this would serve as your dmz.
HTH,
John
12-05-2008 12:34 PM
working!
12-05-2008 12:37 PM
Great! Please rate if it helps. It helps the forums. :-)
Thanks!
John
12-05-2008 12:40 PM
My config was right from the start, the xbox just needed a restart :S
12-27-2008 06:40 AM
Hi -
Did you manage to get the XBox 360 to report an 'Open' response or was it still reporting 'Moderate' ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: