topic Re: Xbox Live with dynamic public IP in General Topics

Xbox Live with dynamic public IP

swoods79 — Sun, 29 Jun 2014 22:58:51 GMT

I know that this topic has been discussed before, but I cannot seem to find an exact scenario match since I am dealing with a dynamic public IP address.

Interfaces

ethernet1/1

Primary internal network
Default virtual router
172.16.50.1/24
Zone: Internal

ethernet1/2

Public internet connection with dynamic IP address
Default virtual router
Zone: External

ethernet1/3

Secondary internal network dedicated to Xbox
Default virtual router
172.16.51.1/24
Zone: Xbox
DHCP reservation in place for the Xbox at 172.16.51.2

Security Policies

Rule to allow traffic from Internal and Xbox zones to External zone.
- Includes URL filtering, etc.
Rule to deny all other traffic.

NAT Policies

Single NAT policy defined as follows:
- Original Packet
  - Source Zone: Internal, Xbox
  - Destination Zone: External
  - Destination Interface: ethernet1/2
  - Service: any
  - Source Address: any
  - Destination Address: any
- Translation Packet
  - Translation Type: Dynamic IP and Port
  - Address Type: Interface Address
  - Interface: ethernet1/2

Internal and Xbox zones are able to browse the Internet without any issues; however, the Xbox reports the NAT type as Strict which causes Xbox Live to not function properly. Given the fact that I have only a single public IP address for all traffic (which is also dynamic and not static), how do I go about allowing the necessary ports through to the Xbox?

Ports in question: Xbox Network Ports | Xbox 360 Network Ports | Xbox Live Network Ports

Thank you in advance!

Steven

Re: Xbox Live with dynamic public IP

HULK — Mon, 30 Jun 2014 05:56:57 GMT

Hello Swoods,

I hope this KB doc will help you: Palo Alto Networks Firewalls & Xbox360 - Strict NAT

Thanks

Re: Xbox Live with dynamic public IP

HULK — Mon, 30 Jun 2014 06:34:37 GMT

Hello Swoods,

Could you please give us an explanation about "NAT type as Strict which causes Xbox Live to not function properly" in details. Also, please let us know, what application you have set in the security policy.

Thanks

Re: Xbox Live with dynamic public IP

pulukas — Mon, 30 Jun 2014 11:59:23 GMT

The user supplied solution that Hulk shows only works if you can configure static nat. Obviously that is not an option in your case where you have a dynamic ISP and only the one address available.

I would start by taking the xbox off the existing outbound policy and give it on without any url filtering or inspection at all. Then see if that changes your Xbox live test status.

Re: Xbox Live with dynamic public IP

swoods79 — Mon, 30 Jun 2014 13:49:10 GMT

I've already tried this and it made no difference. I need to define the NAT policy but the nature of having a dynamic IP for the external connection is confusing me.

I did find this document: https://live.paloaltonetworks.com/docs/DOC-3095

Does this mean that the only option would be to use a dynamic DNS host and then refer to the FQDN?

Re: Xbox Live with dynamic public IP

gwesson — Mon, 30 Jun 2014 16:30:23 GMT

Hi Steven,

Xbox Live generally requires several ports to be forwarded directly to the system if you can't use UPnP. Since the Palo Alto Networks firewalls drop UPnP traffic, you're limited to opening the ports that the Xbox wants. Those ports should be (Source: Xbox.com Forums😞

UDP 53
TCP 53
TCP 80
UDP 88
UDP 3074
TCP 3074

Try creating a NAT rule for those six ports to forward to the Xbox. You will need to set up a DynDNS unless you want to track your dynamic IP and update it whenever your ISP changes it. If you have a cable modem or DSL, often times the IP stays the same unless the modem is unplugged for a few days. The lease on a lot of the major US ISPs tends to be about 3 days, but your mileage may vary.

Good luck!

Greg

Re: Xbox Live with dynamic public IP

swoods79 — Mon, 30 Jun 2014 17:00:46 GMT

This would be a destination NAT correct?

Re: Xbox Live with dynamic public IP

gwesson — Mon, 30 Jun 2014 17:29:49 GMT

Correct. You need to do D-NAT for those ports on your public IP (or DynDNS name) to the Xbox.