Re: Cisco 871 and Hotmail, Windows Live, Xbox360
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by Doug McIntyre on April 20, 2008, 2:18 am
Please log in for more thread options >I utilize hotmail, my fiance uses live messenger, and I have an Xbox360.
>Whenever I put the 871 in as my router I can no longer sign into >hotmail, live messenger, or Xbox live! >Web browsing, google talk, FTP, and other internet traffic work fine. I
>just am not able to get the Microsoft apps to work. They all time-out >for some reason. If I put the old Netgear in, everything works normally. >I thought it was something that I did, so I did a 'write erase' and then
>tried to config it again. No, not really anything you did. The Netgear supports UPnP, which is basicly a method for any program on any computers on the inside to open up holes on the firewall. Microsoft whole-heartedly supports UPnP. Some companies are fundementally opposed to letting client machines open up holes willy-nilly with zero admin control over it. Cisco is one of them, and they will never support UPnP. Their philosophy is that if you want to open up holes, you need to specificly open up the holes you need to match the protocols you want going through. Thus you know what is open rather than random stuff opening up and going through. I'm afraid, you'll have to learn to find out what you need open, and to open up and do port forwarding for each of the protocols you want to use. | |||||||||||||||||||
|
Posted by on April 20, 2008, 7:58 am
Please log in for more thread options > >I have a Cisco 871 router that I am attempted to use replace my aging
> >Netgear router. Things are working, er, just ok. > >I utilize hotmail, my fiance uses live messenger, and I have an Xbox360. > >Whenever I put the 871 in as my router I can no longer sign into > >hotmail, live messenger, or Xbox live! > >Web browsing, google talk, FTP, and other internet traffic work fine. I > >just am not able to get the Microsoft apps to work. They all time-out > >for some reason. If I put the old Netgear in, everything works normally. > >I thought it was something that I did, so I did a 'write erase' and then > >tried to config it again. >
> No, not really anything you did. > > The Netgear supports UPnP, which is basicly a method for any program > on any computers on the inside to open up holes on the > firewall. Microsoft whole-heartedly supports UPnP. > > Some companies are fundementally opposed to letting client machines > open up holes willy-nilly with zero admin control over it. Cisco is > one of them, and they will never support UPnP. > > Their philosophy is that if you want to open up holes, you need to > specificly open up the holes you need to match the protocols you want > going through. Thus you know what is open rather than random stuff > opening up and going through. > > I'm afraid, you'll have to learn to find out what you need open, and > to open up and do port forwarding for each of the protocols you want > to use. In summary:- Can't see anything amiss - unless you want to do general internet access from ...102, 103, 250. Details follow. Trimming the config to the essentials that affect NAT connectivity: (thank you for posting all of it by the way:) hostname BTLR-TWT-GW1 ! ! The "ip port-map"s are not being referenced anywhere ! interface FastEthernet0 ! 0...3 all Vl 2 switchport access vlan 2 ! ! interface FastEthernet4 ip address dhcp client-id FastEthernet4 ip nat outside ! ! interface Vlan2 description Local LAN ip address 192.168.0.1 255.255.255.0 ip nat inside ! ip nat inside source list 10 interface FastEthernet4 overload ip nat inside source static tcp 192.168.0.103 80 interface FastEthernet4 80 ip nat inside source static tcp 192.168.0.102 22 interface FastEthernet4 22 ip nat inside source static tcp 192.168.0.102 21 interface FastEthernet4 21 ip nat inside source static tcp 192.168.0.250 3074 interface FastEthernet4 3074 ip nat inside source static udp 192.168.0.250 88 interface FastEthernet4 88 ip nat inside source static udp 192.168.0.250 3074 interface FastEthernet4 3074 ! access-list 1 permit 10.0.0.0 0.255.255.255 access-list 1 permit 172.16.0.0 0.15.255.255 access-list 1 permit 192.168.0.0 0.0.255.255 access-list 10 remark NAT-Inside-to-Outside access-list 10 deny 192.168.0.102 access-list 10 deny 192.168.0.103 access-list 10 deny 192.168.0.250 access-list 10 permit 192.168.0.0 0.0.255.255 This configuration has the following behaviour: For hosts 102, 103, 250 do NOT do any Port Address Translation. Allows arbitrary internet access from inside to outside with no restrictions - using NAT. Publishes the following to the internet utilising the Outside address of FastEthernet 4 tcp 192.168.0.103 80 tcp 192.168.0.102 22 tcp 192.168.0.102 21 ! I am not certain, however I think that ! 21 will allow ftp since Cisco has an ! ftp Application layer Gateway which is enabled by default tcp 192.168.0.250 3074 udp 192.168.0.250 88 udp 192.168.0.250 3074 I do not know anything about XBox however I am certain that hotmail is a straightforward web program that only needs port 80 outbound (maybe 443 too?) and makes NO inbound connections. Microsoft messenger is surely the same and required NO inbound connections. EXCEPT for hosts 102, 103, 250 Hotmail and MSN Messenger should be OK. The only other thing that I can think of is that your provider uses a lower MTU than Ethernet default of 1500. You could try int vl 2 ip tcp mss-adjust 1300 Clearly 1300 will be more than low enough but there is no point is worrying about a few bytes here and there in my opinion, choose one that we are certain will be low enough. By the way you do not have the firewall enabled. This may or may not be important to you since one seems to get decent protection from most things with NAT alone. Once you get what you need working come back for turning things off if reqired. Maybe you mean for ACL 10 this instead:- Note Extended ACL used instead of Standard one, ACL number range 100-199. access-list 110 remark Extended acl NAT-Inside-to-Outside access-list 110 deny tcp host 192.168.0.102 eq 21 any " " 22 access-list 110 deny tcp host 192.168.0.103 eq 80 any etc... access-list 110 permit 192.168.0.0 0.0.255.255 any | |||||||||||||||||||
|
Posted by Schroeder, AJ on April 21, 2008, 12:45 pm
Please log in for more thread options Bod43@hotmail.co.uk wrote:
>>> I have a Cisco 871 router that I am attempted to use replace my
>>> aging Netgear router. Things are working, er, just ok. >>> I utilize hotmail, my fiance uses live messenger, and I have an >>> Xbox360. Whenever I put the 871 in as my router I can no longer >>> sign into hotmail, live messenger, or Xbox live! >>> Web browsing, google talk, FTP, and other internet traffic work >>> fine. I just am not able to get the Microsoft apps to work. They >>> all time-out for some reason. If I put the old Netgear in, >>> everything works normally. I thought it was something that I did, >>> so I did a 'write erase' and then tried to config it again. >>
>> No, not really anything you did. >> >> The Netgear supports UPnP, which is basicly a method for any program >> on any computers on the inside to open up holes on the >> firewall. Microsoft whole-heartedly supports UPnP. >> >> Some companies are fundementally opposed to letting client machines >> open up holes willy-nilly with zero admin control over it. Cisco is >> one of them, and they will never support UPnP. >> >> Their philosophy is that if you want to open up holes, you need to >> specificly open up the holes you need to match the protocols you want >> going through. Thus you know what is open rather than random stuff >> opening up and going through. >> >> I'm afraid, you'll have to learn to find out what you need open, and >> to open up and do port forwarding for each of the protocols you want >> to use. >
> > In summary:- > > Can't see anything amiss - unless you want to do general internet > access from ...102, 103, 250. > > Details follow. > > > Trimming the config to the essentials that affect > NAT connectivity: (thank you for posting all of it > by the way:) > > hostname BTLR-TWT-GW1 > ! > ! The "ip port-map"s are not being referenced anywhere > > ! > interface FastEthernet0 ! 0...3 all Vl 2 > switchport access vlan 2 > ! > > ! > interface FastEthernet4 > ip address dhcp client-id FastEthernet4 > ip nat outside > ! > > ! > interface Vlan2 > description Local LAN > ip address 192.168.0.1 255.255.255.0 > ip nat inside > ! > > ip nat inside source list 10 interface FastEthernet4 overload > > ip nat inside source static tcp 192.168.0.103 80 interface > FastEthernet4 80 > ip nat inside source static tcp 192.168.0.102 22 interface > FastEthernet4 22 > ip nat inside source static tcp 192.168.0.102 21 interface > FastEthernet4 21 > ip nat inside source static tcp 192.168.0.250 3074 interface > FastEthernet4 3074 > ip nat inside source static udp 192.168.0.250 88 interface > FastEthernet4 88 > ip nat inside source static udp 192.168.0.250 3074 interface > FastEthernet4 3074 > ! > access-list 1 permit 10.0.0.0 0.255.255.255 > access-list 1 permit 172.16.0.0 0.15.255.255 > access-list 1 permit 192.168.0.0 0.0.255.255 > > access-list 10 remark NAT-Inside-to-Outside > access-list 10 deny 192.168.0.102 > access-list 10 deny 192.168.0.103 > access-list 10 deny 192.168.0.250 > access-list 10 permit 192.168.0.0 0.0.255.255 > > This configuration has the following behaviour: > > For hosts 102, 103, 250 do NOT do any Port Address Translation. > > Allows arbitrary internet access from inside to outside > with no restrictions - using NAT. > > Publishes the following to the internet > utilising the Outside address of FastEthernet 4 > tcp 192.168.0.103 80 > tcp 192.168.0.102 22 > tcp 192.168.0.102 21 ! I am not certain, however I think that > ! 21 will allow ftp since Cisco has an > ! ftp Application layer Gateway which is > enabled by default > tcp 192.168.0.250 3074 > > > udp 192.168.0.250 88 > udp 192.168.0.250 3074 > > > > I do not know anything about XBox however I am certain that > hotmail is a straightforward web program that > only needs port 80 outbound (maybe 443 too?) > and makes NO inbound connections. Microsoft messenger > is surely the same and required NO inbound connections. > > EXCEPT for hosts 102, 103, 250 Hotmail and MSN Messenger > should be OK. That's what I woudl have thought, however I cannot seem to get to MSN/Hotmail from a host that isn't 102, 103, or 250. I wonder if that has anything to do with the fact that in ACL 10 I am matching on hosts in the Class B range of 192.168.0.0 and not the correct subnet mask of 255.255.255.0 that is defined in V2. >
> The only other thing that I can think of is that your > provider uses a lower MTU than Ethernet default of 1500. > > You could try > > int vl 2 > ip tcp mss-adjust 1300 > > > Clearly 1300 will be more than low enough > but there is no point is worrying about a > few bytes here and there in my opinion, > choose one that we are certain will be low enough. > My current Netgear uses the default MTU size of 1500, but I can try that as a last resort. > By the way you do not have the firewall enabled.
> This may or may not be important to you since > one seems to get decent protection from most things > with NAT alone. > > Once you get what you need working come back for > turning things off if reqired. > > Maybe you mean for ACL 10 this instead:- > Note Extended ACL used instead of > Standard one, ACL number range 100-199. > > > access-list 110 remark Extended acl NAT-Inside-to-Outside > access-list 110 deny tcp host 192.168.0.102 eq 21 any > " " 22 > access-list 110 deny tcp host 192.168.0.103 eq 80 any > > etc... > > access-list 110 permit 192.168.0.0 0.0.255.255 any Wow - I wonder if that has been my issue the entire time! I think that might be why the router is inexplicably trouncing SOME of the traffic on the Xbox. I would be able to connect to Xbox Live, but could never establish a multiplayer session. Maybe I need to get port specific instead of IP specific. I guess what I need is to be able to have hosts 102, 103, and 250 use PAT for any other TCP/UDP port other than what I am specifying in NAT, does that make sense? I'll make the ACL changes tonight and see what happens. | |||||||||||||||||||
|
Posted by AJ Schroeder on April 26, 2008, 9:21 am
Please log in for more thread options
> Bod43@hotmail.co.uk wrote:
>>
>> >> >> This configuration has the following behaviour: >> >> For hosts 102, 103, 250 do NOT do any Port Address Translation. >> >> Allows arbitrary internet access from inside to outside >> with no restrictions - using NAT. >> >> Publishes the following to the internet >> utilising the Outside address of FastEthernet 4 >> tcp 192.168.0.103 80 >> tcp 192.168.0.102 22 >> tcp 192.168.0.102 21 ! I am not certain, however I think that >> ! 21 will allow ftp since Cisco has an >> ! ftp Application layer Gateway which is >> enabled by default >> tcp 192.168.0.250 3074 >> >> >> udp 192.168.0.250 88 >> udp 192.168.0.250 3074 >> >> >> >> I do not know anything about XBox however I am certain that >> hotmail is a straightforward web program that >> only needs port 80 outbound (maybe 443 too?) >> and makes NO inbound connections. Microsoft messenger >> is surely the same and required NO inbound connections. >> >> EXCEPT for hosts 102, 103, 250 Hotmail and MSN Messenger >> should be OK. >
> That's what I woudl have thought, however I cannot seem to get to > MSN/Hotmail from a host that isn't 102, 103, or 250. I wonder if that > has anything to do with the fact that in ACL 10 I am matching on hosts > in the Class B range of 192.168.0.0 and not the correct subnet mask of > 255.255.255.0 that is defined in V2. > >>
>> The only other thing that I can think of is that your >> provider uses a lower MTU than Ethernet default of 1500. >> >> You could try >> >> int vl 2 >> ip tcp mss-adjust 1300 >> >> >> Clearly 1300 will be more than low enough >> but there is no point is worrying about a >> few bytes here and there in my opinion, >> choose one that we are certain will be low enough. >> >
> My current Netgear uses the default MTU size of 1500, but I can try > that as a last resort. > >> By the way you do not have the firewall enabled.
>> This may or may not be important to you since >> one seems to get decent protection from most things >> with NAT alone. >> >> Once you get what you need working come back for >> turning things off if reqired. >> >> Maybe you mean for ACL 10 this instead:- >> Note Extended ACL used instead of >> Standard one, ACL number range 100-199. >> >> >> access-list 110 remark Extended acl NAT-Inside-to-Outside >> access-list 110 deny tcp host 192.168.0.102 eq 21 any >> " " 22 >> access-list 110 deny tcp host 192.168.0.103 eq 80 any >> >> etc... >> >> access-list 110 permit 192.168.0.0 0.0.255.255 any >
> Wow - I wonder if that has been my issue the entire time! > > I think that might be why the router is inexplicably trouncing SOME of > the traffic on the Xbox. I would be able to connect to Xbox Live, but > could never establish a multiplayer session. Maybe I need to get port > specific instead of IP specific. > > I guess what I need is to be able to have hosts 102, 103, and 250 use > PAT for any other TCP/UDP port other than what I am specifying in NAT, > does that make sense? > > I'll make the ACL changes tonight and see what happens. > > No dice... those ACL chnages didn't make Live messenger come up. I turned on nat translation logging and I see conversations being translated, but LIVE messenger, hotmail, and Xbox either don't make it through the NAT/PAT, or they don't have a return path back into the network. Here's my new NAT setup: ip nat log translations syslog ip nat inside source static tcp 192.168.0.103 80 interface FastEthernet4 80 ip nat inside source static tcp 192.168.0.102 22 interface FastEthernet4 22 ip nat inside source static tcp 192.168.0.102 21 interface FastEthernet4 21 ip nat inside source static tcp 192.168.0.250 3074 interface FastEthernet4 3074 ip nat inside source static udp 192.168.0.250 88 interface FastEthernet4 88 ip nat inside source static udp 192.168.0.250 3074 interface FastEthernet4 3074 ip nat inside source list 110 interface FastEthernet4 overload ! access-list 110 remark Extended acl NAT-Inside-to-Outside access-list 110 deny tcp host 192.168.0.102 eq ftp any access-list 110 deny tcp host 192.168.0.102 eq 22 any access-list 110 deny tcp host 192.168.0.103 eq www any access-list 110 deny udp host 192.168.0.250 eq 88 any access-list 110 deny tcp host 192.168.0.250 eq 3074 any access-list 110 deny udp host 192.168.0.250 eq 3074 any access-list 110 permit ip 192.168.0.0 0.0.0.255 any | |||||||||||||||||||
|
Posted by HDFLSTS-2002 on June 29, 2008, 8:52 am
Please log in for more thread options Sorry coming into this post pretty late. But what stands out to me in doing just
a very quick look at your config is this. access-list 110 remark Extended acl NAT-Inside-to-Outside access-list 110 deny tcp host 192.168.0.102 eq ftp any access-list 110 deny tcp host 192.168.0.102 eq 22 any access-list 110 deny tcp host 192.168.0.103 eq www any access-list 110 deny udp host 192.168.0.250 eq 88 any access-list 110 deny tcp host 192.168.0.250 eq 3074 any access-list 110 deny udp host 192.168.0.250 eq 3074 any access-list 110 permit ip 192.168.0.0 0.0.0.255 any You are denying all of the ports to the host for which you had created static nat entries. Your acl is being applied inbound so you would see the conversation starting as the traffic would leave your lan destin for th internet no problem. However the return traffic would be blocked by your acl. -- --------------------------------- --- -- - Posted with NewsLeecher v3.9 Final Web @ http://www.newsleecher.com/?usenet ------------------- ----- ---- -- - | |||||||||||||||||||
>Netgear router. Things are working, er, just ok.