cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1927
Views
0
Helpful
9
Replies

Help with Cisco 877 NAT rule

whiteford
Level 1
Level 1

Hi,

I have a Cisco 877 which I use for work. I now have an Xbox 360 and I need to add a few NAT's and permits to my access lists to allow the Xbox to work properly over the Internet, simple home routers just need UPnP enable, I found this article which is for the Pix, what is the equivilent for an 877?

Bottom of page - http://www.xboxlivetheguide.co.uk/XBoxLiveTheGuide3.php?title=My%20NAT%20Setting%20is%20Strict/Moderate%20what%20can%20I%20do

My Xbox IP is 192.168.2.99 and I have added the following but get errors, my Xbox gets a moderate NAT rating:

ip nat inside source static tcp 192.168.200.99 3074 interface Dialer1 3074

ip nat inside source static udp 192.168.200.99 3074 interface Dialer1 3074

ip nat inside source static udp 192.168.200.99 88 interface Dialer1 88

interface Dialer1

description Outside

ip access-group 101 in

access-list 101 permit udp any any eq 3074 log

access-list 101 permit udp any any eq 88 log

access-list 101 permit tcp any any eq 3074 log

9 Replies 9

John Blakley
VIP Alumni
VIP Alumni

It looks right. You could try to remove the ports from the nat statements:

ip nat inside source static 192.168.200.99 interface dialer1

Are you getting any hits on the ACLs? I don't have an XBox, so I'm just doing this by the way I normally do NAT.

HTH,

John

HTH, John *** Please rate all useful posts ***

Just got this hit, when I ran a connection test from the Xbox menu:

Dec 5 20:00:26.627: %SEC-6-IPACCESSLOGP: list 101 permitted udp 65.55.42.131(3330) -> 90.205.5.1(3074), 7 packets

also:

Extended IP access list 101

91 permit udp any any eq 3074 log (24 matches)

92 permit udp any any eq 88 log

93 permit tcp any any eq 3074 log

I use IP Inspects, are these my outbpound rules?

ip inspect name outbound tcp router-traffic

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

ip inspect name outbound cuseeme

ip inspect name outbound dns

ip inspect name outbound h323

ip inspect name outbound https

ip inspect name outbound imap

ip inspect name outbound pop3

ip inspect name outbound netshow

ip inspect name outbound rcmd

ip inspect name outbound realaudio

ip inspect name outbound rtsp

ip inspect name outbound esmtp

ip inspect name outbound sqlnet

ip inspect name outbound streamworks

ip inspect name outbound tftp

ip inspect name outbound vdolive

Yes they are. You're seeing, and allowing, the traffic back in. The inspects allow traffic out, and create a stateful connection outbound.You can take your inspects off of the public interface (no ip inspect outbound out)(or whatever direction it is), and see if that helps. The xbox may be trying to go out other ports that aren't explicitly being allowed out, and they're being blocked. You may be able to do a sh ip inspect session to see what's being blocked when you do your test.

HTH,

John

HTH, John *** Please rate all useful posts ***

Let me try this, some articles mention putting the xbox in the routers DMZ, many "home" routers allows this option, what would this be on my router, sounds like an ip any any rule each way to 192.168.2.99?

here is is

Session 83A80758 (192.168.2.12:1258)=>(65.55.42.117:3074) udp SIS_OPEN

Session 83A897F8 (192.168.2.12:1259)=>(65.55.42.117:3074) udp SIS_OPEN

Session 83A84750 (192.168.2.12:1257)=>(65.55.42.132:88) udp SIS_OPEN

Session 83A80490 (192.168.2.12:3074)=>(65.55.42.131:3074) udp SIS_OPEN

192.168.2.12 is my laptop... strange

You would probably want to create a vlan for your device, and this would serve as your dmz.

HTH,

John

HTH, John *** Please rate all useful posts ***

working!

Great! Please rate if it helps. It helps the forums. :-)

Thanks!

John

HTH, John *** Please rate all useful posts ***

My config was right from the start, the xbox just needed a restart :S

Hi -

Did you manage to get the XBox 360 to report an 'Open' response or was it still reporting 'Moderate' ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: