Cisco 871 and Hotmail, Windows Live, Xbox360

No, not really anything you did.

The Netgear supports UPnP, which is basicly a method for any program on any computers on the inside to open up holes on the firewall. Microsoft whole-heartedly supports UPnP.

Some companies are fundementally opposed to letting client machines open up holes willy-nilly with zero admin control over it. Cisco is one of them, and they will never support UPnP.

Their philosophy is that if you want to open up holes, you need to specificly open up the holes you need to match the protocols you want going through. Thus you know what is open rather than random stuff opening up and going through.

I'm afraid, you'll have to learn to find out what you need open, and to open up and do port forwarding for each of the protocols you want to use.

In summary:-

Can't see anything amiss - unless you want to do general internet access from ...102, 103, 250.

Details follow.

Trimming the config to the essentials that affect NAT connectivity: (thank you for posting all of it by the way:)

hostname BTLR-TWT-GW1 ! ! The "ip port-map"s are not being referenced anywhere

! interface FastEthernet0 ! 0...3 all Vl 2 switchport access vlan 2 !

! interface FastEthernet4 ip address dhcp client-id FastEthernet4 ip nat outside !

! interface Vlan2 description Local LAN ip address 192.168.0.1 255.255.255.0 ip nat inside !

ip nat inside source list 10 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.0.103 80 interface FastEthernet4 80 ip nat inside source static tcp 192.168.0.102 22 interface FastEthernet4 22 ip nat inside source static tcp 192.168.0.102 21 interface FastEthernet4 21 ip nat inside source static tcp 192.168.0.250 3074 interface FastEthernet4 3074 ip nat inside source static udp 192.168.0.250 88 interface FastEthernet4 88 ip nat inside source static udp 192.168.0.250 3074 interface FastEthernet4 3074 ! access-list 1 permit 10.0.0.0 0.255.255.255 access-list 1 permit 172.16.0.0 0.15.255.255 access-list 1 permit 192.168.0.0 0.0.255.255

access-list 10 remark NAT-Inside-to-Outside access-list 10 deny 192.168.0.102 access-list 10 deny 192.168.0.103 access-list 10 deny 192.168.0.250 access-list 10 permit 192.168.0.0 0.0.255.255

This configuration has the following behaviour:

For hosts 102, 103, 250 do NOT do any Port Address Translation.

Allows arbitrary internet access from inside to outside with no restrictions - using NAT.

Publishes the following to the internet utilising the Outside address of FastEthernet 4 tcp 192.168.0.103 80 tcp 192.168.0.102 22 tcp 192.168.0.102 21 ! I am not certain, however I think that ! 21 will allow ftp since Cisco has an ! ftp Application layer Gateway which is enabled by default tcp 192.168.0.250 3074

udp 192.168.0.250 88 udp 192.168.0.250 3074

I do not know anything about XBox however I am certain that hotmail is a straightforward web program that only needs port 80 outbound (maybe 443 too?) and makes NO inbound connections. Microsoft messenger is surely the same and required NO inbound connections.

EXCEPT for hosts 102, 103, 250 Hotmail and MSN Messenger should be OK.

The only other thing that I can think of is that your provider uses a lower MTU than Ethernet default of 1500.

You could try

int vl 2 ip tcp mss-adjust 1300

Clearly 1300 will be more than low enough but there is no point is worrying about a few bytes here and there in my opinion, choose one that we are certain will be low enough.

By the way you do not have the firewall enabled. This may or may not be important to you since one seems to get decent protection from most things with NAT alone.

Once you get what you need working come back for turning things off if reqired.

Maybe you mean for ACL 10 this instead:- Note Extended ACL used instead of Standard one, ACL number range 100-199.

access-list 110 remark Extended acl NAT-Inside-to-Outside access-list 110 deny tcp host 192.168.0.102 eq 21 any " " 22 access-list 110 deny tcp host 192.168.0.103 eq 80 any

etc...

access-list 110 permit 192.168.0.0 0.0.255.255 any

Doug McIntyre wrote in news:480ae035$0$1119$ snipped-for-privacy@newsreader.iphouse.net:

Crap... the one little detail I forgot about was UPnP. That explains why when I enabled the zone-based firewall some of the Microsoft apps started working.

Thank you for your reply, I just found out that my Netgear FVS318 supports UPnP, even though it is supposedly a ProSafe VPN router.

Are there any access lists on the router that I can create to log what IP and port things are talking on? I know 'deny ip any any log' generates a lot of logs, but that doesn't tell me source and destination port numbers. Or am I going to have to use wireshark or something along those lines?

That is perhaps the best ways for discovering it yourself.

But your best resource is to just google on the program and NAT router or some other term. There's been many people that have already figured out what ports a protocol uses and have documented it already for devices that aren't UPnP so they can put in NAT port forwarding to make it work.

Plenty of pages out there for any concievable thing you want to use.

That's what I woudl have thought, however I cannot seem to get to MSN/Hotmail from a host that isn't 102, 103, or 250. I wonder if that has anything to do with the fact that in ACL 10 I am matching on hosts in the Class B range of 192.168.0.0 and not the correct subnet mask of

My current Netgear uses the default MTU size of 1500, but I can try that as a last resort.

Wow - I wonder if that has been my issue the entire time!

I think that might be why the router is inexplicably trouncing SOME of the traffic on the Xbox. I would be able to connect to Xbox Live, but could never establish a multiplayer session. Maybe I need to get port specific instead of IP specific.

I guess what I need is to be able to have hosts 102, 103, and 250 use PAT for any other TCP/UDP port other than what I am specifying in NAT, does that make sense?

I'll make the ACL changes tonight and see what happens.

"Schroeder, AJ" wrote in news:fuifdn$s80$ snipped-for-privacy@sxnews1.qg.com:

No dice... those ACL chnages didn't make Live messenger come up. I turned on nat translation logging and I see conversations being translated, but LIVE messenger, hotmail, and Xbox either don't make it through the NAT/PAT, or they don't have a return path back into the network.

Here's my new NAT setup:

ip nat log translations syslog ip nat inside source static tcp 192.168.0.103 80 interface FastEthernet4

Sorry coming into this post pretty late. But what stands out to me in doing just a very quick look at your config is this.

access-list 110 remark Extended acl NAT-Inside-to-Outside access-list 110 deny tcp host 192.168.0.102 eq ftp any access-list 110 deny tcp host 192.168.0.102 eq 22 any access-list 110 deny tcp host 192.168.0.103 eq www any access-list 110 deny udp host 192.168.0.250 eq 88 any access-list 110 deny tcp host 192.168.0.250 eq 3074 any access-list 110 deny udp host 192.168.0.250 eq 3074 any access-list 110 permit ip 192.168.0.0 0.0.0.255 any

You are denying all of the ports to the host for which you had created static nat entries.

Your acl is being applied inbound so you would see the conversation starting as the traffic would leave your lan destin for th internet no problem. However the return traffic would be blocked by your acl.