intecca

Techology, Politics, Life

XBOX not working over Cisco Router – ACL to the Rescue

Not everyone uses a Cisco router for home internet router. And those who do, do not always use ACL list to deny any IP traffic from the internet and only allow specific traffic. But if you do all of the above, you may have trouble using XBOX apps over your home internet connection. I came across this exact problem with my Cisco 870 Router at home. Everything works, except XBOX connectivity. I mean XBOX came up, and you could play games locally. But there is no XBOX Live, no Netflix, no YouTube, not even a basic network connectivity test. Just see the attached:

xbox-test-blocked

What is wrong with this picture?
Let us take a look. Here is my router.


Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 15.1(4)M10,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 24-Mar-15 15:05 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

router1 uptime is 4 weeks, 6 days, 17 hours, 53 minutes
System returned to ROM by power-on
System restarted at 16:09:09 EST Sun Jan 8 2017
System image file is “flash:c870-advipservicesk9-mz.151-4.M10.bin”

I also do have an ACL which is a standard practice for most Cisco routers. I did remove a few entries for security reason, but basically it looked like this:


router1#show ip access-l 101
Extended IP access list 101
10 permit tcp any any established (100150807 matches)
20 permit icmp any any (9662 matches)
30 permit udp any any eq ntp (32783 matches)
60 permit udp any eq bootps any (4953 matches)
70 permit udp host 8.8.8.8 any (711361 matches)
80 permit udp host 8.8.4.4 any (9407 matches)
90 deny ip any any (93644 matches)

So there was definitely some IP address that tried to reach out to my XBOX from Microsoft and ended up being blocked by entry number 90 in my Access-List. By enabling logging on deny statement, I discovered that all conversations being dropped originate from this IP address: 65.55.42.20 The fix was simple. I checked the IP address to confirm that it indeed belongs to Microsoft, and it does: http://www.ipgeek.net/65.55.42.20 So I decided to ope the entire /24 class on my ACL. Here is what I added:


router1#config t
router1(config)#ip access-l ext 101
router1(config-ext-nacl)#55 permit ip 65.55.42.0 0.0.0.255 any
router1(config-ext-nacl)#end
router1#copy run start

… so now my access list looks like this:


router1#show ip access-l 101
Extended IP access list 101
10 permit tcp any any established (100150807 matches)
20 permit icmp any any (9662 matches)
30 permit udp any any eq ntp (32783 matches)
55 permit ip 65.55.42.0 0.0.0.255 any
60 permit udp any eq bootps any (4953 matches)
70 permit udp host 8.8.8.8 any (711361 matches)
80 permit udp host 8.8.4.4 any (9407 matches)
90 deny ip any any (93644 matches)

… and voila! Now XBOX seamlessly turns on, connects to the internet and XBOX Live, runs network tests without failing and launches all apps.¬†You are welcome.

xbox network test success

arrow-left How to Configure Cisco C1140 Wireless Access Point for Home Use
Previous post

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>