Cisco 871 and Hotmail, Windows Live, Xbox360
in [Cisco]
|
From: AJ Schroeder on 19 Apr 2008 18:12 Hello group, I have a Cisco 871 router that I am attempted to use replace my aging Netgear router. Things are working, er, just ok. I utilize hotmail, my fiance uses live messenger, and I have an Xbox360. Whenever I put the 871 in as my router I can no longer sign into hotmail, live messenger, or Xbox live! Web browsing, google talk, FTP, and other internet traffic work fine. I just am not able to get the Microsoft apps to work. They all time-out for some reason. If I put the old Netgear in, everything works normally. I thought it was something that I did, so I did a 'write erase' and then tried to config it again. I am running 12.4(15)T4 as that is the latest IOS out there on Cisco's website. Xbox Live does recommend doing port-forwarding for online gaming, so that is needed as well as a couple of other ports for a internal server on my network. I am not a NAT expert by any means, so I am assuming that I have something configured wrong. Any help on this frustrating issue would be greatly appreciated. Here is my config on the 871 (without the crypto statements): version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname BTLR-TWT-GW1 ! boot-start-marker boot system flash:c870-advipservicesk9-mz.124-15.T4.bin boot-end-marker ! logging buffered 16384 ! no aaa new-model ! ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.1 192.168.0.192 ! ip dhcp pool Workstations import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 192.168.0.101 lease 3 ! ip dhcp pool Xbox360 host 192.168.0.250 255.255.255.0 client-identifier 0100.125a.f415.51 ! ! no ip bootp server ip port-map user-xbl-ctrl-udp port udp 3074 description XBOX Live control protoc ol over UDP ip port-map user-xbl-ctrl-tcp port tcp 3074 description XBOX Live control protoc ol over TCP ip port-map user-xbl-auth port udp 88 description XBOX Live Authentication ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip ddns update method DynDNS HTTP add http://ajschroeder:<not shown>@members.dyndns.org/nic/update? system=dyndns&hos tname=<h>&myip=<a> remove http://ajschroeder:<not shown>@members.dyndns.org/nic/update? system=dyndns& hostname=<h>&myip=<a> interval maximum 0 12 0 0 ! ! multilink bundle-name authenticated ! ! username admin privilege 15 secret 5 <not shown> ! ! archive log config hidekeys ! ! ip ssh time-out 30 ! ! ! interface FastEthernet0 switchport access vlan 2 ! interface FastEthernet1 switchport access vlan 2 ! interface FastEthernet2 switchport access vlan 2 ! interface FastEthernet3 switchport access vlan 2 ! interface FastEthernet4 ip dhcp client update dns server none ip ddns update hostname <not shown> ip ddns update DynDNS ip address dhcp client-id FastEthernet4 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Vlan1 no ip address shutdown ! interface Vlan2 description Local LAN ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet4 permanent ! ! no ip http server ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 10 interface FastEthernet4 overload ip nat inside source static tcp 192.168.0.103 80 interface FastEthernet4 80 ip nat inside source static tcp 192.168.0.102 22 interface FastEthernet4 22 ip nat inside source static tcp 192.168.0.102 21 interface FastEthernet4 21 ip nat inside source static tcp 192.168.0.250 3074 interface FastEthernet4 3074 ip nat inside source static udp 192.168.0.250 88 interface FastEthernet4 88 ip nat inside source static udp 192.168.0.250 3074 interface FastEthernet4 3074 ! access-list 1 permit 10.0.0.0 0.255.255.255 access-list 1 permit 172.16.0.0 0.15.255.255 access-list 1 permit 192.168.0.0 0.0.255.255 access-list 10 remark NAT-Inside-to-Outside access-list 10 deny 192.168.0.102 access-list 10 deny 192.168.0.103 access-list 10 deny 192.168.0.250 access-list 10 permit 192.168.0.0 0.0.255.255 no cdp run ! ! ! ! control-plane ! ! line con 0 logging synchronous login local no modem enable line aux 0 line vty 0 4 access-class 1 in exec-timeout 0 0 privilege level 15 logging synchronous login local transport input telnet ssh ! scheduler max-task-time 5000 ntp clock-period 17178097 ntp server 192.168.0.102 prefer end Thanks, AJ Schroeder
From: Doug McIntyre on 20 Apr 2008 02:18 AJ Schroeder <ajschroeder(a)no-spamhotmail.com> writes: >I have a Cisco 871 router that I am attempted to use replace my aging >Netgear router. Things are working, er, just ok. >I utilize hotmail, my fiance uses live messenger, and I have an Xbox360. >Whenever I put the 871 in as my router I can no longer sign into >hotmail, live messenger, or Xbox live! >Web browsing, google talk, FTP, and other internet traffic work fine. I >just am not able to get the Microsoft apps to work. They all time-out >for some reason. If I put the old Netgear in, everything works normally. >I thought it was something that I did, so I did a 'write erase' and then >tried to config it again. No, not really anything you did. The Netgear supports UPnP, which is basicly a method for any program on any computers on the inside to open up holes on the firewall. Microsoft whole-heartedly supports UPnP. Some companies are fundementally opposed to letting client machines open up holes willy-nilly with zero admin control over it. Cisco is one of them, and they will never support UPnP. Their philosophy is that if you want to open up holes, you need to specificly open up the holes you need to match the protocols you want going through. Thus you know what is open rather than random stuff opening up and going through. I'm afraid, you'll have to learn to find out what you need open, and to open up and do port forwarding for each of the protocols you want to use.
From: Bod43 on 20 Apr 2008 07:58 On 20 Apr, 08:18, Doug McIntyre <mer...(a)geeks.org> wrote: > AJ Schroeder <ajschroe...(a)no-spamhotmail.com> writes: > >I have a Cisco 871 router that I am attempted to use replace my aging > >Netgear router. Things are working, er, just ok. > >I utilize hotmail, my fiance uses live messenger, and I have an Xbox360. > >Whenever I put the 871 in as my router I can no longer sign into > >hotmail, live messenger, or Xbox live! > >Web browsing, google talk, FTP, and other internet traffic work fine. I > >just am not able to get the Microsoft apps to work. They all time-out > >for some reason. If I put the old Netgear in, everything works normally. > >I thought it was something that I did, so I did a 'write erase' and then > >tried to config it again. > > No, not really anything you did. > > The Netgear supports UPnP, which is basicly a method for any program > on any computers on the inside to open up holes on the > firewall. Microsoft whole-heartedly supports UPnP. > > Some companies are fundementally opposed to letting client machines > open up holes willy-nilly with zero admin control over it. Cisco is > one of them, and they will never support UPnP. > > Their philosophy is that if you want to open up holes, you need to > specificly open up the holes you need to match the protocols you want > going through. Thus you know what is open rather than random stuff > opening up and going through. > > I'm afraid, you'll have to learn to find out what you need open, and > to open up and do port forwarding for each of the protocols you want > to use. In summary:- Can't see anything amiss - unless you want to do general internet access from ...102, 103, 250. Details follow. Trimming the config to the essentials that affect NAT connectivity: (thank you for posting all of it by the way:) hostname BTLR-TWT-GW1 ! ! The "ip port-map"s are not being referenced anywhere ! interface FastEthernet0 ! 0...3 all Vl 2 switchport access vlan 2 ! ! interface FastEthernet4 ip address dhcp client-id FastEthernet4 ip nat outside ! ! interface Vlan2 description Local LAN ip address 192.168.0.1 255.255.255.0 ip nat inside ! ip nat inside source list 10 interface FastEthernet4 overload ip nat inside source static tcp 192.168.0.103 80 interface FastEthernet4 80 ip nat inside source static tcp 192.168.0.102 22 interface FastEthernet4 22 ip nat inside source static tcp 192.168.0.102 21 interface FastEthernet4 21 ip nat inside source static tcp 192.168.0.250 3074 interface FastEthernet4 3074 ip nat inside source static udp 192.168.0.250 88 interface FastEthernet4 88 ip nat inside source static udp 192.168.0.250 3074 interface FastEthernet4 3074 ! access-list 1 permit 10.0.0.0 0.255.255.255 access-list 1 permit 172.16.0.0 0.15.255.255 access-list 1 permit 192.168.0.0 0.0.255.255 access-list 10 remark NAT-Inside-to-Outside access-list 10 deny 192.168.0.102 access-list 10 deny 192.168.0.103 access-list 10 deny 192.168.0.250 access-list 10 permit 192.168.0.0 0.0.255.255 This configuration has the following behaviour: For hosts 102, 103, 250 do NOT do any Port Address Translation. Allows arbitrary internet access from inside to outside with no restrictions - using NAT. Publishes the following to the internet utilising the Outside address of FastEthernet 4 tcp 192.168.0.103 80 tcp 192.168.0.102 22 tcp 192.168.0.102 21 ! I am not certain, however I think that ! 21 will allow ftp since Cisco has an ! ftp Application layer Gateway which is enabled by default tcp 192.168.0.250 3074 udp 192.168.0.250 88 udp 192.168.0.250 3074 I do not know anything about XBox however I am certain that hotmail is a straightforward web program that only needs port 80 outbound (maybe 443 too?) and makes NO inbound connections. Microsoft messenger is surely the same and required NO inbound connections. EXCEPT for hosts 102, 103, 250 Hotmail and MSN Messenger should be OK. The only other thing that I can think of is that your provider uses a lower MTU than Ethernet default of 1500. You could try int vl 2 ip tcp mss-adjust 1300 Clearly 1300 will be more than low enough but there is no point is worrying about a few bytes here and there in my opinion, choose one that we are certain will be low enough. By the way you do not have the firewall enabled. This may or may not be important to you since one seems to get decent protection from most things with NAT alone. Once you get what you need working come back for turning things off if reqired. Maybe you mean for ACL 10 this instead:- Note Extended ACL used instead of Standard one, ACL number range 100-199. access-list 110 remark Extended acl NAT-Inside-to-Outside access-list 110 deny tcp host 192.168.0.102 eq 21 any " " 22 access-list 110 deny tcp host 192.168.0.103 eq 80 any etc... access-list 110 permit 192.168.0.0 0.0.255.255 any
From: Doug McIntyre on 21 Apr 2008 02:10 AJ Schroeder <ajschroeder(a)no-spamhotmail.com> writes: >Are there any access lists on the router that I can create to log what >IP and port things are talking on? I know 'deny ip any any log' >generates a lot of logs, but that doesn't tell me source and destination >port numbers. Or am I going to have to use wireshark or something along >those lines? That is perhaps the best ways for discovering it yourself. But your best resource is to just google on the program and NAT router or some other term. There's been many people that have already figured out what ports a protocol uses and have documented it already for devices that aren't UPnP so they can put in NAT port forwarding to make it work. Plenty of pages out there for any concievable thing you want to use.
From: Schroeder, AJ on 21 Apr 2008 12:45 Bod43(a)hotmail.co.uk wrote: > On 20 Apr, 08:18, Doug McIntyre <mer...(a)geeks.org> wrote: >> AJ Schroeder <ajschroe...(a)no-spamhotmail.com> writes: >>> I have a Cisco 871 router that I am attempted to use replace my >>> aging Netgear router. Things are working, er, just ok. >>> I utilize hotmail, my fiance uses live messenger, and I have an >>> Xbox360. Whenever I put the 871 in as my router I can no longer >>> sign into hotmail, live messenger, or Xbox live! >>> Web browsing, google talk, FTP, and other internet traffic work >>> fine. I just am not able to get the Microsoft apps to work. They >>> all time-out for some reason. If I put the old Netgear in, >>> everything works normally. I thought it was something that I did, >>> so I did a 'write erase' and then tried to config it again. >> >> No, not really anything you did. >> >> The Netgear supports UPnP, which is basicly a method for any program >> on any computers on the inside to open up holes on the >> firewall. Microsoft whole-heartedly supports UPnP. >> >> Some companies are fundementally opposed to letting client machines >> open up holes willy-nilly with zero admin control over it. Cisco is >> one of them, and they will never support UPnP. >> >> Their philosophy is that if you want to open up holes, you need to >> specificly open up the holes you need to match the protocols you want >> going through. Thus you know what is open rather than random stuff >> opening up and going through. >> >> I'm afraid, you'll have to learn to find out what you need open, and >> to open up and do port forwarding for each of the protocols you want >> to use. > > > In summary:- > > Can't see anything amiss - unless you want to do general internet > access from ...102, 103, 250. > > Details follow. > > > Trimming the config to the essentials that affect > NAT connectivity: (thank you for posting all of it > by the way:) > > hostname BTLR-TWT-GW1 > ! > ! The "ip port-map"s are not being referenced anywhere > > ! > interface FastEthernet0 ! 0...3 all Vl 2 > switchport access vlan 2 > ! > > ! > interface FastEthernet4 > ip address dhcp client-id FastEthernet4 > ip nat outside > ! > > ! > interface Vlan2 > description Local LAN > ip address 192.168.0.1 255.255.255.0 > ip nat inside > ! > > ip nat inside source list 10 interface FastEthernet4 overload > > ip nat inside source static tcp 192.168.0.103 80 interface > FastEthernet4 80 > ip nat inside source static tcp 192.168.0.102 22 interface > FastEthernet4 22 > ip nat inside source static tcp 192.168.0.102 21 interface > FastEthernet4 21 > ip nat inside source static tcp 192.168.0.250 3074 interface > FastEthernet4 3074 > ip nat inside source static udp 192.168.0.250 88 interface > FastEthernet4 88 > ip nat inside source static udp 192.168.0.250 3074 interface > FastEthernet4 3074 > ! > access-list 1 permit 10.0.0.0 0.255.255.255 > access-list 1 permit 172.16.0.0 0.15.255.255 > access-list 1 permit 192.168.0.0 0.0.255.255 > > access-list 10 remark NAT-Inside-to-Outside > access-list 10 deny 192.168.0.102 > access-list 10 deny 192.168.0.103 > access-list 10 deny 192.168.0.250 > access-list 10 permit 192.168.0.0 0.0.255.255 > > This configuration has the following behaviour: > > For hosts 102, 103, 250 do NOT do any Port Address Translation. > > Allows arbitrary internet access from inside to outside > with no restrictions - using NAT. > > Publishes the following to the internet > utilising the Outside address of FastEthernet 4 > tcp 192.168.0.103 80 > tcp 192.168.0.102 22 > tcp 192.168.0.102 21 ! I am not certain, however I think that > ! 21 will allow ftp since Cisco has an > ! ftp Application layer Gateway which is > enabled by default > tcp 192.168.0.250 3074 > > > udp 192.168.0.250 88 > udp 192.168.0.250 3074 > > > > I do not know anything about XBox however I am certain that > hotmail is a straightforward web program that > only needs port 80 outbound (maybe 443 too?) > and makes NO inbound connections. Microsoft messenger > is surely the same and required NO inbound connections. > > EXCEPT for hosts 102, 103, 250 Hotmail and MSN Messenger > should be OK. That's what I woudl have thought, however I cannot seem to get to MSN/Hotmail from a host that isn't 102, 103, or 250. I wonder if that has anything to do with the fact that in ACL 10 I am matching on hosts in the Class B range of 192.168.0.0 and not the correct subnet mask of 255.255.255.0 that is defined in V2. > > The only other thing that I can think of is that your > provider uses a lower MTU than Ethernet default of 1500. > > You could try > > int vl 2 > ip tcp mss-adjust 1300 > > > Clearly 1300 will be more than low enough > but there is no point is worrying about a > few bytes here and there in my opinion, > choose one that we are certain will be low enough. > My current Netgear uses the default MTU size of 1500, but I can try that as a last resort. > By the way you do not have the firewall enabled. > This may or may not be important to you since > one seems to get decent protection from most things > with NAT alone. > > Once you get what you need working come back for > turning things off if reqired. > > Maybe you mean for ACL 10 this instead:- > Note Extended ACL used instead of > Standard one, ACL number range 100-199. > > > access-list 110 remark Extended acl NAT-Inside-to-Outside > access-list 110 deny tcp host 192.168.0.102 eq 21 any > " " 22 > access-list 110 deny tcp host 192.168.0.103 eq 80 any > > etc... > > access-list 110 permit 192.168.0.0 0.0.255.255 any Wow - I wonder if that has been my issue the entire time! I think that might be why the router is inexplicably trouncing SOME of the traffic on the Xbox. I would be able to connect to Xbox Live, but could never establish a multiplayer session. Maybe I need to get port specific instead of IP specific. I guess what I need is to be able to have hosts 102, 103, and 250 use PAT for any other TCP/UDP port other than what I am specifying in NAT, does that make sense? I'll make the ACL changes tonight and see what happens.
|
Next
|
Last
Pages: 1 2 Prev: pppoe configuration Next: Concentrator 3000 question...client login. ??? |