adanarth malachy cheryl

[Silvina Spindler]

I have given this several hours and have gotten one XBOX on our network to have an open NAT. I did this by creating a DNAT for each port needing to be opened that translated back to the XBOX. Below is a screenshot of one of the 10 Port openings needed to get the XBOX to respond with "Open" when tested.

I have about 10 of these and they work! Great right? Here's where my question comes in. Since about half of our campus is residential, this won't be the last time this comes up. We have a group of Hosts called "Entertainment Consoles" that skip a lot of they security stuff so that Netflix can run smoothly, but is there a way to bulk define several ports to be open to hosts within a group? We have loved being able to address "laggy Netflix" requests with a simple "give us your MAC" and we'll clear it up solution. But having to open 10 ports for every persons XBOX could get messy. In all reality it wouldn't be that bad, I am just wondering if there is a cleaner way using service and host groups.

My other question is if this will actually work once we have multiple XBOXs in there? Won't this send all of the traffic on those ports to the first XBOX in the list, so none of the other XBOX's would get any incoming traffic on these ports???? Or am I crazy?

I have tried using a rule that replaces the incoming service port with a group of all of the XBOX Live service ports, then defining the host, and leaving the translation service port blank, but it didn't seem to work.

Having issues with my X Box One S connecting to X Box Live. All services are up and running; XB network settings showed connected to Internet, but cannot connect to XB Live Service. Per Microsoft, the port I need is 3074 plus the following:

I cannot find which ports are open on the Orbi router, so I cannot tell if they are open or not. Further, I have assigned static IPs to both the wired and wireless MAC addresses; so should I port-forward these ports? (When I tried setting up 3074 was told it was used by other services) This issue occurs both wired and wireless on the XB.

I would hold in the power button until it turns off. Then do a full reboot of the ISP modem and Orbi router. After it's all back to ready, power ON the xbox and check IP address and NAT status. IT should be OPEN in network settings an in a game.

Modem Combo Units:
Couple of options,
1. Configure the modem for transparent bridge mode. Then use the Orbi router in router mode. You'll need to contact the ISP for help and information in regards to the modem being bridged correctly.
2. If you can't bridge the modem, disable ALL wifi radios on the modem, configure the modems DMZ or IP Pass-Through for the IP address the Orbi router gets from the modem. Then you can use the Orbi router in Router mode.
3. Or disable all wifi radios on the modem leaving it in router mode and connect the Orbi router to the modem, configure AP mode on the Orbi router. -do-I-configure-my-Orbi-router-to-act-as-an-access-point and =H7LOcJ8GdDo&app=desktop

I was having issues with Xbox live as well as streaming Netflix and Amazon Prime through the Xbox one. Disabling Port Scan and DoS protection fixed the issue for me. Log into the router settings through , then access Advanced->Setup->WAN Setup and check the box for "Disable Port Scan and DoS Protection".

I recently purchased a pair of ASA 5550's to upgrade my home network since I have a Gig line but the 3900 I've been using as my boundary firewall throttles filtered traffic at about 150Mbps. I *thought* the 5550s would be very similar to routers--they are not (but that has been discussed to death, I learned). I got my first 5550 up and working correctly. All services run where they're supposed to (I still need to do some port mapping for my xbox live service, and I never did get PAT to work via ASDM I just had to go wing it in the command line), except for ONE. My Roku SmartTV can't stream any media, however a "connection test" shows that it is online and receiving packets (self-reported by the device). Here's the extra weird part: Netflix, HBO Go, and Amazon Prime (my 3 streaming services) all work flawlessly and FAST on every PC and Laptop, and the xbox, plugged into the network (I've tested on about 5 devices, all plugged into the same switch, VLAN, and subnet as the TV). It appears to ONLY effect the smart TV, but the smart TV is still online(?!). The Sharp/Roku website for network support is a joke, and I certainly can't find any information about the ports used by the apps--but everything I can find about Netflix says that 80 and 443 are all netflix uses, and I can't imagine it would be different for the SmartTV app? I've posted the running config below with sensitive data omitted. You'll see a bit of a cluster of network objects from when I was fighting with ASDM, but most of them are idle and just need to be deleted--they aren't effecting connectivity or even in use. You'll also see where I tried to whitelist the netflix domain, hoping that it was just a zone security issue, but that has not helped. For obvious reasons, I would like to run my entire LAN through the firewall and not have to route around the security appliance for my tv (or any other smart appliances that come online). I'm also open to any feedback on the config or what services I should set up next, as this is my first ASA and it's still highly experimental on my network. Thanks!

Per your instructions I ran an asp-drop capture. Sorry to say that just spits out the frames at the hex level, and didn't have especially useful information. After spinning through the frames I did a little research and solved the problem. I actually had to enable system logging and set the logging sensativity so that I could pull syslogs out of the buffer and compare the syslog codes to the index at:

302020, 302021 are syslogs that recurred every 50-100 NAT entries to try and build ICMP tunnels into the network. Could be innocuous, could be ICMP messages that fly around the network and gather information about who-knows what.

Needless to say I consider this issue resolved. The ASA is blocking my TV because it's trying to do it's own port-mapping in the internet gateway. I will likely isolate the television in it's own VLAN and make a tunnel straight to the providers appliance (Keeping it on the OUTSIDE interface of my security appliance). It can map all the ports and send all the ICMP messages that it wants on the provider's gear.

no access-list ISP-PORT_access_in extended permit ip object Netflix any
no access-list ISP-PORT_access_in extended permit ip object Netflix1 any
no access-group ISP-PORT_access_in in interface ISP-PORT

The commands you referenced are my whitelist commands--I wanted to see if whitelisting the FQDN in on the ISP interface would possibly help Netflix to run on the smart TV (it was a hail mary--I was out of other troubleshooting ideas), but it made no difference. I'll scrap the commands, but that doesn't help streaming services run to my smart tv. Is there any known issues with smart appliances running streaming service through an ASA?

This TV is kicking out HUNDREDS of FP L2 rule drop violations per minute. I'd say we've found the culprit (according the Cisco ASA Command Reference): "FP L2 rule Drop: This counter will increment when the appliance denies a packet due to a layer-2 ACL. By default, in routed mode the appliance will PERMIT:

This is new for me too and to be honest I have no experience with TV/Streaming or IoT as such but as a network guy i would recommend that first we should know what kind of traffic it is and then if it looks good i would permit it. And why it is drop, the specific reason, i would like to know.

@jin735 you will need to use a router like a Netgear MR60 that you can use for Wi-Fi and Ethernet and have the ability to configure port forwarding and alike. the T-Mobile gateway is just a gateway/access to their cellular network for internet access.

@copz1998 is correct. You cannot create a NAT, or modify DHCP on T-Mobile gateways. I, for one, would be curious about how your Netgear MR60 reacts if you hook it to the T-Mobile gateway in any other mode than Access Point Mode, where I don't believe you can do port forwarding.

I was able to get this working in like 2 seconds. All I did was enable Meshnet in my Nordvpn app on my main host pc and whatever other device I wanted to connect to it. I already had nord so it was a no brainer.

For me specifically it was a pc hosting sunshine streaming service so I could use moonlight from my nvidia shield for gaming. Worked like a charm. Even using my shield from states and thousands of miles away, all good

90f70e40cf