Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 "outside_access_in" blocking UDP

Greetings all! This is sort of elementary for everyone (and may be silly, once you hear what I'm doing...) but I'm stumped.

Here's what I've got:

- ASA5505

- Xbox LIVE service: 88 UDP & 3074 TCP-UDP

I've searched around these forums and found help, but they were geared more towards the PIX 501. Anyways, here's what I've done:

- setup my xbox to a static IP (192.168.1.200)

- entered a service group with the above mentioned ports for both UDP and TCP

- created 3 NAT rules for those ports to go straight to the Xbox.

- added the xbox to a ACL so that those ports come into the Xbox

What I get, when testing, is this:

4 Jan 18 2008 20:01:18 106023 65.59.234.162 72.12.119.218 Deny udp src outside:65.59.234.162/55619 dst inside:72.12.119.218/3074 by access-group "outside_access_in" [0x0, 0x0]

In the "outside_access_in" group, I have:

1 True any Xbox360 Xbox_LIVE Permit Default

I'm not sure why, but the packets, when coming back inside, are being denied. I'm using ASDM to set this up and I know a lot of you like the command line. If any of you can offer any help, I can run a command using command line and give you any outputs.

Thanks for any help my friends.

CH

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA5505 "outside_access_in" blocking UDP

Do you have the source ip's of xbox live?

Sorry, the Xbox_LIVE object group needs to be the destination port.

access-list outside_access_in extended permit udp any interface outside eq 88

access-list outside_access_in extended permit udp any interface outside eq 3074

access-list outside_access_in extended permit tcp any interface outside eq 3074

9 REPLIES
Green

Re: ASA5505 "outside_access_in" blocking UDP

post a...

show run nat

show run access-list outside_access_in

New Member

Re: ASA5505 "outside_access_in" blocking UDP

show run nat:

"nat (inside) 1 0.0.0.0 0.0.0.0"

show run access-list outside_access_in:

"access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360"

Thanks!

Green

Re: ASA5505 "outside_access_in" blocking UDP

Sorry I meant show run static. Why don't you just post a sanitized/cleaned config.

show run

New Member

Re: ASA5505 "outside_access_in" blocking UDP

show run static:

static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns

show run:

: Saved

:

ASA Version 8.0(3)

!

hostname greylock

domain-name ch.local

enable password RONX1BXdqaFcKwP9 encrypted

names

name 192.168.1.200 Xbox360

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.169 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group DSL

ip address pppoe setroute

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/newstuff/asa803.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-name interknox.net

object-group service Xbox_LIVE

service-object udp source eq 88 eq 88

service-object tcp-udp source eq 3074 eq 3074

access-list inside_access_in extended permit ip host Xbox360 any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

pager lines 24

logging enable

logging asdm warnings

logging from-address email@interknox.net

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/newstuff/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 68.152.211.86 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

vpdn group DSL request dialout pppoe

vpdn group DSL localname my dsl email

vpdn group DSL ppp authentication pap

vpdn username my email password *********

dhcpd auto_config outside

!

dhcpd address 192.168.1.125-192.168.1.150 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

ntp server 131.107.13.100 source outside

ntp server 129.6.15.29 source outside

ntp server 129.6.15.28 source outside prefer

username chris password TYGBt4.L24KH1.mU encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1d79690fe1b4b7246c3a87153b23040b

: end

NOTE: I cut out some of the "interfaces" because of message length restrictions on the forums. Other interfaces aren't in use, FYI.

Thanks again.

Green

Re: ASA5505 "outside_access_in" blocking UDP

Your access list is not correct.

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

should be...

access-list outside_access_in extended permit object-group Xbox_LIVE any interface outside

or

access-list outside_access_in extended permit object-group Xbox_LIVE any host

New Member

Re: ASA5505 "outside_access_in" blocking UDP

Okay, using ASDM, it went from this:

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

to...

access-list outside_access_in extended permit object-group Xbox_LIVE any any

and it still blocks UDP ports (from log):

4 Jan 19 2008 09:48:27 106023 65.59.234.162 72.12.119.28 Deny udp src outside:65.59.234.162/43971 dst inside:72.12.119.28/3074 by access-group "outside_access_in" [0x0, 0x0]

Green

Re: ASA5505 "outside_access_in" blocking UDP

Do you have the source ip's of xbox live?

Sorry, the Xbox_LIVE object group needs to be the destination port.

access-list outside_access_in extended permit udp any interface outside eq 88

access-list outside_access_in extended permit udp any interface outside eq 3074

access-list outside_access_in extended permit tcp any interface outside eq 3074

New Member

Re: ASA5505 "outside_access_in" blocking UDP

Okay, it's working now and I found that there were 2 problems. One problem ended up being that the Xbox_Live group's ports had the source/destination as the same thing, instead of "default" for the source. For instance, I had:

destination: udp 3074

source: udp 3074

When in fact, Xbox LIVE service doesn't use those ports at the source, so the ACL was blocking it. I changed it do:

destination: udp 3074

source: default

Second, like you said, my outside_access_in group listed my destination as my Xbox360, when in fact that won't work, as that device is using a private IP, behind the firewall.

I changed both these things and it now works like a champ!!!

Thanks again for all your help. I'll be sure to rate/vote whatever for you anytime.

CH

Green

Re: ASA5505 "outside_access_in" blocking UDP

Happy gaming!~

4080
Views
0
Helpful
9
Replies