How to use Xbox Live with a Cisco ASA
So you've bought a Cisco ASA 55XX? Congratulations! you have in your hands one of the best devices on the market for securing your network from all the nasty people on the internet. The trouble starts, however, when you plumb that baby into your home network, set up the minimum configuration options required and you suddenly discover that Xbox Live isn't working properly. Sure, you may be able to connect and you may be able to join games as before, but you may find you get randomly disconnected or you are unable to hear other people using microphones. When running the network test from System Settings, the wizard helpfully advises that your NAT settings are at fault. The reason you may not have experienced this before would be down to the router you had been using which almost certainly supported Universal Plug 'n' Play (UPnP). The ASA does not. In order to get Xbox Live working as it should, manual configuration of Port Forwarding is required to allow the Xbox Live service out on the internet to talk through the ASA to the Xbox in your network.
To keep this article as simple as possible, the following is presumed about the network configuration:
- The ASA is running software version 8.3 or later with the changes to object-based NAT from earlier versions.
- The ASA has the ISP-provided IP address for your internet connection (either a static assignment or by DHCP) on its outside interface.
- The Xbox device is on a network segment directly connected to the ASA firewall device.
- The inside network segment subnet is 192.168.1.0/24.
- The ASA's inside IP address is 192.168.1.1.
- The Xbox's inside IP address is 192.168.1.100.
- All outbound traffic to the internet is permitted through the firewall from that segment.
- All outbound traffic is translated using Dynamic PAT to the IP address of the outside interface.
- All inbound traffic from the internet to the outside interface of the ASA is blocked.
- The outside interface uses the default access list named 'outside_access_in'.
A lot of assumptions, but this is a fairly typical setup for a home network whether connected to a hardware firewall device like the ASA or a standard home router provided by your ISP. Obviously, you should substitute your own IP addressing schemes and device names where appropriate.
The starting point for for this process is to create the network object for the Xbox itself. Creating named objects is important for making the configuration commands much easier to understand when returning to them at a later date. It is also convenient to be able to reference something by name instead of using a more long-handed method. To create our object 'xbox', use the following commands:
firewall>enable firewall#configure terminal firewall(config)#object network xbox firewall(config-network-object)#host 192.168.1.100 firewall(config-network-object)#exit firewall(config)#
This sequence of commands has created a new object of the 'network' type with the name 'xbox'. The host command is used to add an IP address to the object, in this case adding the real IP address of the Xbox device to the xbox object.
In addition to this object, it is necessary to create an additional object object for each NAT rule that will be necessary to enable communcication from the internet to the Xbox. For Xbox Live to function correctly, this will require both TCP and UDP traffic on port 3074 and UDP on port 88. Here are the commands to create the three additional network objects we require:
firewall(config)#object network xbox-nat-tcp3074 firewall(config-network-object)#host 192.168.1.100 firewall(config-network-object)#exit firewall(config)#object network xbox-nat-udp3074 firewall(config-network-object)#host 192.168.1.100 firewall(config-network-object)#exit firewall(config)#object network xbox-nat-udp88 firewall(config-network-object)#host 192.168.1.100 firewall(config-network-object)#exit firewall(config)#
The Xbox now has 4 objects associated with its IP address: xbox, xbox-nat-tcp3074, xbox-nat-udp3074 and xbox-nat-udp88. The naming of the objects is entirely up to you, but the convention I've adopted here - including 'nat' and the port type/number - gives clarity as to the object's purpose and use.
In a similar approach to creating the named network objects above, it's also convenient to create named objects of service ports. For the purpose of this article we want to define a named service object that includes port 3074 for both TCP and UDP protocols, as discussed above. This can be done with a single object created by the following commands:
firewall(config)#object-group service xbox-live-3074 tcp-udp firewall(config-service-object-group)#port-object eq 3074 firewall(config-service-object-group)#exit firewall(config)#object service xbox-live-88 firewall(config-service-object)#service udp destination eq 88 firewall(config-service-object)#exit firewall(config)#
Now we have a new service object named 'xbox-live-3074' that specifies a 'port-object' for port 3074 and covers both TCP and UDP.
Now we come to the most involved part of the process. Creating Network Address Translation (NAT) rules is how traffic from out on the internet is enabled to reach the Xbox device on the inside network. More precisely, the type of NAT we will be using is described as Static Port Address Translation (PAT). Inbound traffic to the ASA's outside interface with a specific destination port of either UDP/3074, TCP/3074 or UDP/88 will be translated to have the destination IP address of the inside Xbox device.
Three separate NAT rules will need to be created: one for TCP port 3074, one for UDP port 3074 and one for UDP port 88. Because a network object may only have a single NAT rule applied to it, we need to have a separate object for each translation we want to perform. That's okay because we have already created three additional objects for just this purpose in the sections above. The commands we need to run to create our NAT rules on the objects are as follows:
firewall(config)#object network xbox-nat-tcp3074 firewall(config-network-object)#nat (inside,outside) static interface service tcp 3074 3074 firewall(config-network-object)#exit firewall(config)#object network xbox-nat-udp3074 firewall(config-network-object)#nat (inside,outside) static interface service udp 3074 3074 firewall(config-network-object)#exit firewall(config)#object network xbox-nat-udp88 firewall(config-network-object)#nat (inside,outside) static interface service udp 88 88 firewall(config-network-object)#exit firewall(config)#
The NAT rules have now been set up and any traffic destined for the ASA's outside interface on UDP/3074, TCP/3074 or UDP/88 will have its destination address translated to the IP address associated with the named network objects 'xbox-nat-udp3074', 'xbox-nat-tcp3074' and 'xbox-nat-udp88' (192.168.1.100).
There is one final piece to the puzzle. Even though the NAT rules are in place for the correct address translation to take place, you will find that running the test wizard on your Xbox will still say that there is a problem with the NAT configuration. Ths is misleading because we know the rules have been configured correctly. What's actually happening is that, although the NAT translation is allowed to happen, the traffic itself is blocked because the ASA is a firewall device and there is no matching rule for the traffic to say that it is allowed into the device at all.
This situation is easily remedied by using the 'xbox-live-3074' and 'xbox-live-88' services we set up earlier in conjunction with access rules:
firewall(config)#access-list outside_access_in line 1 extended permit tcp any object xbox object-group xbox-live-3074 firewall(config)#access-list outside_access_in line 2 extended permit udp any object xbox object-group xbox-live-3074 firewall(config)#access-list outside_access_in line 3 extended permit object xbox-live-88 any object xbox
As a result of these rules any source IP address on the internet that is trying to access the inside IP address of the Xbox (after address translation) on the specified service ports is allowed to pass through the firewall.
Now the network test wizard on the Xbox device should complete successfully and the online gaming experience can once again be enjoyed in full!