Jon,

I will try this when i get home and let you know the results.

Thanks for the reply!

Jon,

That fixed it!! Thank you so much!

I hate to bug you too much more, but what is the main difference between those 2 entries?

The entry you originally had said allow any source IP with a source port of 25565 to any IP address on any port but the source port would be a random source port generated by the client ie. not 25565 so your acl did not allow the traffic and it was blocked.

The entry you replaced it with says allow any source IP using any port to any IP with a destination port of 25565 which works because that is the port your server is using.

Hope that explains it, if not let me know and I'll go into more detail.

Glad you got it working

Jon

Jon,

Sorry to bug you again, but this should be the last time.

Should i be doing the same thing for the udp ports? I tried changing the acl entries for the udp ports to the same syntax as the tcp entry you gave and it wouldn't let traffic through so i had to change it back. Why would it be different between tcp and udp? Also, would i have to do anything different to forward udp ports, or is it just the same process except for changing tcp to udp?

Sorry to bombard you with these questions, but i really enjoy the help you've given so far. If nothing else, a nudge in the right direction will be more than enough for me.

Thank you so much!!

Don't worry about asking questions, that's what these forums are for and you can ask as many questions as you like.

I was a bit rushed last night so I'll give a bit more explanation and apologies if you already know this.

Whether it is TCP or UDP when a client connects to (usually) a server for the vast majority of applications the client generates a random port number. The server port number is a fixed port number because the client needs to know what port to connect on.

That applies to virtually all applications.

The direction you apply your acl is also important because it determines what are the source and destination IPs and port numbers.

In your case you applied it inbound so the source IP and port numbers are the clients on the internet and the destination IP and port numbers were the server which is why you needed to modify the acl entry.

I'm not sure why your UDP entries didn't work so by all means give some more details and we can look at that issue.

If you wanted to port forward UDP ports to an internal server then yes you would do exactly the same ie. a static NAT statement and then an entry in your acl in the format we used.

Feel free to come back with any more queries etc. you have.

Jon

Jon,

I will test it some more when i get home tonight, but yesterday i tried changing the udp entries in the ACL to be match the syntax of the tcp entries.

Example:

FROM - permit udp any eq 53 any TO - permit udp any any eq 53

I did this with all the udp entries in the InternetACL.

When i brought the connection back up with the updated udp entries, my WAN port (f0/1) wouldn't get a DHCP address from the modem. I changed the bootps entry back to permit any eq bootps any, and then i got an ip address, but left the other entries in the new format.

After trying to get around on the internet for a little bit and not getting anywhere, i ended up changing all the udp entries back to the old format (permit any eq 53 any) and everything was working again. Although when i tried to forward the udp ports it didn't seem to work.

This doesn't make sense to me because the syntax for the ACL entry that works means that it's looking at any source host from a specific port to access and destination host on any port, and from what you told me it should work the same as tcp.

I'm probably typing something wrong somewhere... Like i said though, i will try it out again tonight and see if i run into the same issue.

Thanks again!

Jon, 

Thanks for the help! I was able to get everything working the way i needed thanks to your explanation of the ACL entries and the reminder of how source and destination ports work. 

Everything is good now, and hopefully i won't be back with too many more questions.

Thanks again!