topic PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online in General Topics

PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

catrock — Sun, 21 Oct 2018 13:08:20 GMT

Greetings,

I am trying to create the NAT IP only rule as outlined here.

https://www.ericooi.com/palo-alto-firewall-home-network/

I have a single External WAN interface Etherenet 1/1.

I am wondering how the referenced NAT SOURCE Translation interface (Object/Physical/Other???) is created to configure the Source Translation?

I am only able to add 'internal objects/interfaces when configuring on my PA-220.

---------------------------------------------------------------------------------------------------------------------------------------------------------

Online Console Gaming

Problem: NAT Dynamic IP & Port Policy

Anyone who knows me knows I’m a giant Nintendo fanboy. Shortly after setting up the Palo Alto firewall, I decided to play some online Mario Kart, only to find that my new Nintendo Switch would no longer connect. Sadface.

It turns out that Palo Alto firewalls do not support “Universal Plug and Play” (UPnP) which had allowed me to connect easily on my consumer-grade wireless router. This makes sense from an enterprise-grade firewall perspective as you would want to explicitly control what’s allowed inside and outside of your network.

Back to searching and I found a helpful comment on a post discussing how Palo Alto handles game console traffic. It turns out you need to create a specific NAT policy ahead of your default internet outbound NAT rule. This NAT policy should specify the IP of your video game console as the source address and use only “dynamic-ip” source translation instead of “dynamic-ip-and-port” source translation.

So that I don’t have to periodically update the Nintendo Switch’s source address in the NAT rule due to DHCP, I configured the firewall’s DHCP relay to always assign my Switch the same IP and created an Address Object on the firewall using this same IP. See the screenshot below for how the NAT policies ultimately looked in the end.

Re: PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

catrock — Mon, 22 Oct 2018 02:31:44 GMT

Ah. Since I have a DHCP ISP Assigned - I need to manually update my External Interface object as needed.

I tried creating the Interface object wiht a static IP then I was able to assign it to the NAT. Buggers!!

Forgot that would break all the outgoings..

Re: PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

catrock — Mon, 22 Oct 2018 02:59:31 GMT

Moved the Nintendo NAT down (after the primary NAT).

General outgoing and specific Nintendo Switch device as well - Work fine for now.

Re: PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

dmyers — Sat, 27 Oct 2018 18:46:14 GMT

how did that help? if you put the Nintendo NAT below the regular internet then it would never get used?

Re: PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

catrock — Sun, 28 Oct 2018 20:01:03 GMT

I assigned an IP DHCP reservation to the Nintendo Switch and created an object for it. Assigned the source object to the specific NAT.

It does get used. Working fine, as well as all other traffic on the above NAT

I do receive the warning when committing config.

Warnings

vsys1
NAT Policy:
- Rule 'Internet Outgoing NAT' shadows rule 'Nintendo Online'
(Module: device)