09-02-2012 04:40 PM - edited 03-11-2019 04:48 PM
I have the following configuration in my ASA 5505 and I'm having problems connecting with other players on my XBox (moderate NAT).
I think my problem is that I need to forward ports tcp:3074, udp:3074, and udp:88 to my xbox which is at 192.168.2.50 (vlan 3 below).
Could anyone help w/ this?
[code]
# sh run
: Saved
:
ASA Version 8.4(4)1
!
hostname genesis
enable password 6SENS23lWMa10SSIA encrypted
passwd 6SENS23lWMa10SSIA encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Wired Network
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description Comcast WAN
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description Wireless 802.11n
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
banner motd
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.87.85.98
name-server 68.87.69.146
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list ACL_IN extended permit ip any any
access-list WAN_IN extended permit udp any eq domain any
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm informational
logging host inside 192.168.1.200
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (dmz,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
access-group ACL_IN out interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 68.87.58.98 68.86.69.146
dhcpd lease 43200
!
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 24.56.178.140 source inside
webvpn
username myName password QHA6sf25jCukcu7c encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:77681e92c2ef5a97a5c2f91be78cb3c6
: end
[/code]
09-03-2012 01:10 AM
Hi Richard,
You can try this NAT:
orts tcp:3074, udp:3074, and udp:88 to my xbox which is at 192.168.2.50
object service tcp_3074
service tcp destination eq 3074
object service udp_3074
service udp destination eq 3074
object service udp_88
service udp destination eq 88
object network obj-192.168.2.50
host 192.168.2.50
nat(outside,dmz) source static any any destination static interface obj-192.168.2.50 service tcp_3074 tcp_3074
nat(outside,dmz) source static any any destination static interface obj-192.168.2.50 service udp_3074 udp_3074
nat(outside,dmz) source static any any destination static interface obj-192.168.2.50 service udp_88 udp_88
access-list outside_access_in permit tcp any host 192.168.2.50 eq 3074
access-list outside_access_in permit udp any host 192.168.2.50 eq 3074
access-list outside_access_in permit udp any host 192.168.2.50 eq 88
access-list outside_access_in in interface outside
Hope this helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-03-2012 11:24 AM
Thanks Varun,
I'm going to assume that the last line is really ...
access-group outside_access_in in interface outside
09-03-2012 11:27 AM
Ooooppsss m sorry, yup you got it right
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide