https://live.paloaltonetworks.com/t5/general-topics/full-cone-port-restricted-restricted-nat/m-p/481682#M104194 <P>Hi all,</P><P>I need to make work a voip server behind my pa-3020. The server is using stun protocol and requires that nat is not symmetric.</P><P>I've tested a public stun server (for example stun.telbo.com on port 3478)&nbsp; using pystun3 (a python tool to retrieve nat type).</P><P>That's what I got (A.B.C.D is my public ip)</P><P>&nbsp;</P><P><EM>~# pystun3 -H stun.telbo.com -d</EM><BR /><EM>DEBUG:pystun3:Do Test1</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:recvfrom: ('77.72.169.210', 3478)</EM><BR /><EM>DEBUG:pystun3:Result: {'Resp': True, 'ExternalIP': 'A.B.C.D', 'ExternalPort': 45548, 'SourceIP': '77.72.169.210', 'SourcePort': 3478, 'ChangedIP': '77.72.169.211', 'ChangedPort': 3479}</EM><BR /><EM>DEBUG:pystun3:Do Test2</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:Result: {'Resp': False, 'ExternalIP': None, 'ExternalPort': None, 'SourceIP': None, 'SourcePort': None, 'ChangedIP': None, 'ChangedPort': None}</EM><BR /><EM>DEBUG:pystun3:Do Test1</EM><BR /><EM>DEBUG:pystun3:sendto: ('77.72.169.211', 3479)</EM><BR /><EM>DEBUG:pystun3:recvfrom: ('77.72.169.211', 3479)</EM><BR /><EM>DEBUG:pystun3:Result: {'Resp': True, 'ExternalIP': 'A.B.C.D', 'ExternalPort': 11317, 'SourceIP': '77.72.169.211', 'SourcePort': 3479, 'ChangedIP': '77.72.169.210', 'ChangedPort': 3478}</EM><BR /><EM>NAT Type: Symmetric NAT</EM><BR /><EM>External IP: A.B.C.D</EM><BR /><EM>External Port: 11317</EM></P><P>&nbsp;</P><P>What we can see is that</P><P>- my internal server try to call stun.telbo.com on port 3478</P><P>- 77.72.169.210 replies with the alternate ip address and alternate port (as stun works for retrieving nat type), 77.72.169.211 port 3479</P><P>- pan drops the connection because it come back from a different ip and port (that's symmetric nat)</P><P>&nbsp;</P><P>How could I configure pan to make nat port restricted (at least for my private ip and for a couple of address of my stun server provider)?</P><P>&nbsp;</P><P>Thanks</P> Thu, 21 Apr 2022 15:05:06 GMT N2Z2 2022-04-21T15:05:06Z https://live.paloaltonetworks.com/t5/general-topics/full-cone-port-restricted-restricted-nat/m-p/481682#M104194 <P>Hi all,</P><P>I need to make work a voip server behind my pa-3020. The server is using stun protocol and requires that nat is not symmetric.</P><P>I've tested a public stun server (for example stun.telbo.com on port 3478)&nbsp; using pystun3 (a python tool to retrieve nat type).</P><P>That's what I got (A.B.C.D is my public ip)</P><P>&nbsp;</P><P><EM>~# pystun3 -H stun.telbo.com -d</EM><BR /><EM>DEBUG:pystun3:Do Test1</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:recvfrom: ('77.72.169.210', 3478)</EM><BR /><EM>DEBUG:pystun3:Result: {'Resp': True, 'ExternalIP': 'A.B.C.D', 'ExternalPort': 45548, 'SourceIP': '77.72.169.210', 'SourcePort': 3478, 'ChangedIP': '77.72.169.211', 'ChangedPort': 3479}</EM><BR /><EM>DEBUG:pystun3:Do Test2</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)</EM><BR /><EM>DEBUG:pystun3:Result: {'Resp': False, 'ExternalIP': None, 'ExternalPort': None, 'SourceIP': None, 'SourcePort': None, 'ChangedIP': None, 'ChangedPort': None}</EM><BR /><EM>DEBUG:pystun3:Do Test1</EM><BR /><EM>DEBUG:pystun3:sendto: ('77.72.169.211', 3479)</EM><BR /><EM>DEBUG:pystun3:recvfrom: ('77.72.169.211', 3479)</EM><BR /><EM>DEBUG:pystun3:Result: {'Resp': True, 'ExternalIP': 'A.B.C.D', 'ExternalPort': 11317, 'SourceIP': '77.72.169.211', 'SourcePort': 3479, 'ChangedIP': '77.72.169.210', 'ChangedPort': 3478}</EM><BR /><EM>NAT Type: Symmetric NAT</EM><BR /><EM>External IP: A.B.C.D</EM><BR /><EM>External Port: 11317</EM></P><P>&nbsp;</P><P>What we can see is that</P><P>- my internal server try to call stun.telbo.com on port 3478</P><P>- 77.72.169.210 replies with the alternate ip address and alternate port (as stun works for retrieving nat type), 77.72.169.211 port 3479</P><P>- pan drops the connection because it come back from a different ip and port (that's symmetric nat)</P><P>&nbsp;</P><P>How could I configure pan to make nat port restricted (at least for my private ip and for a couple of address of my stun server provider)?</P><P>&nbsp;</P><P>Thanks</P> Thu, 21 Apr 2022 15:05:06 GMT https://live.paloaltonetworks.com/t5/general-topics/full-cone-port-restricted-restricted-nat/m-p/481682#M104194 N2Z2 2022-04-21T15:05:06Z https://live.paloaltonetworks.com/t5/general-topics/full-cone-port-restricted-restricted-nat/m-p/481924#M104221 <P>is the application being identified properly as stun?</P> <P>have you tried disabling ALG on the app-id ?</P> Fri, 22 Apr 2022 12:38:41 GMT https://live.paloaltonetworks.com/t5/general-topics/full-cone-port-restricted-restricted-nat/m-p/481924#M104221 reaper 2022-04-22T12:38:41Z https://live.paloaltonetworks.com/t5/general-topics/full-cone-port-restricted-restricted-nat/m-p/481933#M104223 <P>The application is identified as stun. In addition, I've done an application override to customize udp timeout but with no results</P><P>I've disabled alg in sip but there's no sip traffic, just stun</P><P>Thanks</P> Fri, 22 Apr 2022 12:56:32 GMT https://live.paloaltonetworks.com/t5/general-topics/full-cone-port-restricted-restricted-nat/m-p/481933#M104223 N2Z2 2022-04-22T12:56:32Z https://live.paloaltonetworks.com/t5/general-topics/full-cone-port-restricted-restricted-nat/m-p/481977#M104227 <P>There was a session that needs to be cleared before retrying, now it's working.</P><P>Thanks</P><P>&nbsp;</P><P>N.</P> Fri, 22 Apr 2022 14:24:25 GMT https://live.paloaltonetworks.com/t5/general-topics/full-cone-port-restricted-restricted-nat/m-p/481977#M104227 N2Z2 2022-04-22T14:24:25Z