For a Good Time Forward Your Ports.

Over the past few months I have been ramping up for the next phase of my career.  I strongly believe that Data Center technologies are going to power the future of not only servers and applications but indeed all sectors of IT services including networking.  Recent announcements from both Cisco and VMware about competing virtual firewalls, new L2 virtualization models within VMware and players such as Vyatta seem to indicate that I am correct.  So along those lines I have been working to re-design my home lab and ramp up to learn these technologies as well as knock down my CCNP in prep for starting my CCIE early next year.

As part of my initial prep I wanted to replace my ageing but very functional PIX 501.  It has been my trusty little firewall for close to 5 years now and it has handled everything I have thrown at it  including port forwarding for my various external access projects.  Thanks to my friends at Redemtech I was able to pick up a PIX 515E and jump it up to 8.0(4).  For all intensive purposes I now have an ASA but without the cost or SSL VPN.  But again I have to redo all my port forwarding.  Each version of PIX OS seems to be a bit different and each time I confuse the crap out of myself about what should be in and what should be out and each time I just about say screw it and order business class internet with multiple IPs for way more than I can afford or need.  But once again I have stumbled around and have the answers.  So for anyone else looking for some guidance here ya go.

For a quick reference I am only going to show the port forwarding elements that are relevant for forwarding ports for my Xbox360.  These same steps are practical for for any other Port Forwarding in PIX/ASA 7.0 through 8.0(4).  Starting in version 8.3 everything changes so be aware.

The Xbox360 requires the following ports to be open for full access to XboxLive:

• TCP 80
• UDP 88
• UDP 3074
• TCP 3074
• UDP 53
• TCP 53

My Xbox360 Private IP address:  10.92.80.100

Public Interface on PIX 515E:  OUTSIDE

And now for the guts of how to do this;

This first code segment defines an object-group that holds all of the required ports.  This gives us a flexible platform that allows the entire change to be implemented in a single ACL even if it does require multiple Static NAT entries.  If Microsoft would ever require more ports for service we would simply add them to this object-group.

object-group service xboxpf
service-object tcp-udp eq 3074
service-object tcp-udp eq domain
service-object tcp eq www
service-object udp eq 88

This is the required access-list to enable hosts from the public internet to pass through.

access-list OUTSIDE_ACCESS_IN extended permit object-group xboxpf any interface OUTSIDE

Here is the breakdown of how it works.

access-list OUTSIDE_ACCESS_IN = This defines it as an Access Control List and an arbitrary name.  I choose names that show how the ACL is to flow.  In this case any data flowing from the outside (public internet) to my Inside (private network) passes through this ACL.

extended = This defines the type of ACL we are using.  Extended allows for source and destination info.  Check out this link for more info.

permit = This states that we are allowing the traffic defined in this line of the ACL.

object-group xboxpf =This defines the object-group to use to define ports and protocols to allow through.  This is the name of the object-group we created in the first command.

any = States any public IP address are affected by this ACL.  I would prefer this is specific public IPs or an object group that includes all of the XboxLive Servers.  I plan on working on digging these up shortly.

interface OUTSIDE = This defines the “IP Address” that public hosts can access.  Normally this would be a true public IP address.  However in the case where you use a DHCP address on the OUTSIDE interface to NAT this command takes the place of a real IP.

I am also a big fan of house keeping in a config.  The PIX/ASA platforms allow lots of naming, grouping and notation options.  For this config I am going to define an Object Name for my Xbox360 so it is easy to identify in logs and config parementers.

names
name 10.92.80.100 Xbox360

names =opens the name sub-command.

name 10.92.80.100 Xbox360 = name defines a new named object.  10.92.80.100 is my private IP address and Xbox360 is an arbitrary name I defined.  This will be what we see in logs and what we see in the Static Nat in the next step.

This next step is to define the static nat statements that include the actual port forwarding.  It is key to mention that you can only define a port once using this method.  Host X and Host Y cannot both port forward to TCP 80.  But there are lots of ports that we can custom define in a home lab environment so this should not be a problem in most cases.

static (INSIDE,OUTSIDE) tcp interface www Xbox360 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp interface 88 Xbox360 88 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface domain Xbox360 domain netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp interface domain Xbox360 domain netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp interface 3074 Xbox360 3074 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255

The final step is to assign the access-list from the first step to an access-group which in turn ties it to a physical or virtual port.

access-group OUTSIDE_ACCESS_IN in interface OUTSIDE

access-group = is the command that defines assignment of an ACL to an Interface

in = defines if the ACL is applied to inbound or outbound traffic.  This is one of the trickiest aspects of ACLs and gets really fun when you are working with virtual interfaces like an SVI.  My simple trick is in means it comes from the physical location of the port while out comes from the inside of the device.  Not always accurate but its a point of reference.  For more info check out this link from Cisco.

interface OUTSIDE = Simply defines what interface the ACL is applied to.

Follow these commands with a;

Clear xlate = clears the existing translation table.

Clear local =  clears the local host table and connections

Clear arp = clears the arp table

Check out this link for all the clear commands.

And that is it.  The Xbox360 provides a really quick way to test.  Go to My Xbox  and head all the way to right to settings.  From there choose network and run the connectivity test for Xbox Live.  If it comes back with no errors your foray into port forwarding was a success.  Keep in mind that all the same info applies to port forwarding any private ip to a port and as I will post soon will come in handy for secure access to hosts in my DMZ and several of the labs I plan on running.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.