PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

Reply
L2 Linker

PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

Greetings,

 

I am trying to create the NAT IP only rule as outlined here.

https://www.ericooi.com/palo-alto-firewall-home-network/

 

 

I have a single External WAN interface Etherenet 1/1.

 

I am wondering how the referenced NAT SOURCE Translation interface (Object/Physical/Other???) is created to configure the Source Translation?

I am only able to add 'internal objects/interfaces when configuring on my PA-220.

 

---------------------------------------------------------------------------------------------------------------------------------------------------------

Online Console Gaming

Problem: NAT Dynamic IP & Port Policy

Anyone who knows me knows I’m a giant Nintendo fanboy.  Shortly after setting up the Palo Alto firewall, I decided to play some online Mario Kart, only to find that my new Nintendo Switch would no longer connect.  Sadface.

It turns out that Palo Alto firewalls do not support “Universal Plug and Play” (UPnP) which had allowed me to connect easily on my consumer-grade wireless router.  This makes sense from an enterprise-grade firewall perspective as you would want to explicitly control what’s allowed inside and outside of your network.

Back to searching and I found a helpful comment on a post discussing how Palo Alto handles game console traffic.  It turns out you need to create a specific NAT policy ahead of your default internet outbound NAT rule. This NAT policy should specify the IP of your video game console as the source address and use only “dynamic-ip” source translation instead of “dynamic-ip-and-port” source translation.

So that I don’t have to periodically update the Nintendo Switch’s source address in the NAT rule due to DHCP, I configured the firewall’s DHCP relay to always assign my Switch the same IP and created an Address Object on the firewall using this same IP.  See the screenshot below for how the NAT policies ultimately looked in the end.

L2 Linker

Re: PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

Ah.  Since I have a DHCP ISP Assigned - I need to manually update my External Interface object as needed.

I tried creating the Interface object wiht a static IP then I was able to assign it to the NAT.  Buggers!!

Forgot that would break all the outgoings..

 

 

L2 Linker

Re: PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

Moved the Nintendo NAT down (after the primary NAT).

General outgoing and specific Nintendo Switch device as well - Work fine for now. 

L0 Member

Re: PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

how did that help? if you put the Nintendo NAT below the regular internet then it would never get used?

L2 Linker

Re: PA-220 - bidirectional NAT - how to get a Nintendo Switch to work online

I assigned an IP DHCP reservation to the Nintendo Switch and created an object for it.  Assigned the source object to the specific NAT.

 

It does get used.  Working fine, as well as all other traffic on the above NAT

 

I do receive the warning when committing config.

Warnings
  • vsys1
  • NAT Policy:
  • - Rule 'Internet Outgoing NAT' shadows rule 'Nintendo Online'
  • (Module: device)
 
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!