Router blocking Xfire

fumbles · 24 Jul 2007 at 21:44

Hello,

I recently installed Windows Vista (it rocks my socks), and Xfire seems to be not working. Well XFire works fine, it's the voice (ringing) stuff that does work.

I get this error message "NAT Check Failed, Error 11".

Now if I drop the outbound access list it works fine, type 1 nat or something. Thing is I only have to drop it when loading XFire, I can re-enable it and then make a call and it works fine.

http://www.xfire.com/nat_types/

I've got a Cisco 837, with ADSL1

Code:

ip nat inside source static udp 192.168.1.10 25777 interface Dialer1 25777
access-list 119 remark TO INTERNET
...
access-list 119 remark Xfire
access-list 119 permit udp any any eq 25777 log
access-list 119 permit tcp any any eq 25777 log
access-list 119 permit ip any host 204.71.190.131 log
access-list 119 permit ip any host 204.71.190.132 log

Originally it was just the first statement for the access list but I started to chuck things when it stopped working. Funny thing is that everything worked with XP, I don't remember changing anything. Unless I forgot to save the config and it crashed... maybe?

Code:

Luke uptime is 3 weeks, 6 days, 18 hours, 7 minutes
System returned to ROM by error - a SegV exception, PC 0x8097C848

I haven't been using Vista for 3 week, only like 1.

Thanks

[EDIT]
Ive got this at the end:

Code:

access-list 119 remark Block the rest
access-list 119 deny ip any any log
...
ip inspect audit-trail

I use syslog to pick up the messages and nothing is out of the ordinary.

fumbles · 26 Jul 2007 at 00:26

Bump, no one knows?

tolien · 26 Jul 2007 at 01:01

Is there a permit tcp...established?
If it's allowed with the ACL disabled, and remains allowed with the ACL enabled, it implies that once the connection's been established, it's not being filtered.

access-list 119 permit udp any any eq 25777 log
access-list 119 permit tcp any any eq 25777 log

Shouldn't that be permit tcp/udp any eq 25777 any log - it's port 25777 at the PC end rather than remotely, no?

I used to get Segmentation Violation crashes on my 837 - they disappeared when I upgraded the IOS (though my 837's no more than cardboard-box-stuffing now).

fumbles · 26 Jul 2007 at 06:06

tolien said:
Is there a permit tcp...established?
If it's allowed with the ACL disabled, and remains allowed with the ACL enabled, it implies that once the connection's been established, it's not being filtered.

Shouldn't that be permit tcp/udp any eq 25777 any log - it's port 25777 at the PC end rather than remotely, no?

I used to get Segmentation Violation crashes on my 837 - they disappeared when I upgraded the IOS (though my 837's no more than cardboard-box-stuffing now).

Thanks for the help!

I thought it was the remote port, but I tend to always get these mixed up. =\ I have tried it both ways.

There is no established.

Yeah I'm using the Version 12.3(2)XE3 IOS....

Luke uptime is 3 hours, 49 minutes
System returned to ROM by error - a SegV exception, PC 0x8097C848
Oh fiddlesticks.

I've been reading up on how it works. XFire contacts nat1.xfire.com to check to see if nat is working or something. Then it responds with a "sure" or just times out. If it passes this check you can do the voice stuff. Unfortunately it is not passing the test.

[EDIT] I managed to get it working, apparently it uses random UDP ports to connect to the above address. In my case those ports were 1717 and 9836, although I am not sure if they will change it any time.

Thanks for you help!! I've done CCNA, and am half way through CCNP. Access lists were never my thing.