Full cone/Port Restricted/Restricted NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Full cone/Port Restricted/Restricted NAT

L2 Linker

Hi all,

I need to make work a voip server behind my pa-3020. The server is using stun protocol and requires that nat is not symmetric.

I've tested a public stun server (for example stun.telbo.com on port 3478)  using pystun3 (a python tool to retrieve nat type).

That's what I got (A.B.C.D is my public ip)

 

~# pystun3 -H stun.telbo.com -d
DEBUG:pystun3:Do Test1
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:recvfrom: ('77.72.169.210', 3478)
DEBUG:pystun3:Result: {'Resp': True, 'ExternalIP': 'A.B.C.D', 'ExternalPort': 45548, 'SourceIP': '77.72.169.210', 'SourcePort': 3478, 'ChangedIP': '77.72.169.211', 'ChangedPort': 3479}
DEBUG:pystun3:Do Test2
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:Result: {'Resp': False, 'ExternalIP': None, 'ExternalPort': None, 'SourceIP': None, 'SourcePort': None, 'ChangedIP': None, 'ChangedPort': None}
DEBUG:pystun3:Do Test1
DEBUG:pystun3:sendto: ('77.72.169.211', 3479)
DEBUG:pystun3:recvfrom: ('77.72.169.211', 3479)
DEBUG:pystun3:Result: {'Resp': True, 'ExternalIP': 'A.B.C.D', 'ExternalPort': 11317, 'SourceIP': '77.72.169.211', 'SourcePort': 3479, 'ChangedIP': '77.72.169.210', 'ChangedPort': 3478}
NAT Type: Symmetric NAT
External IP: A.B.C.D
External Port: 11317

 

What we can see is that

- my internal server try to call stun.telbo.com on port 3478

- 77.72.169.210 replies with the alternate ip address and alternate port (as stun works for retrieving nat type), 77.72.169.211 port 3479

- pan drops the connection because it come back from a different ip and port (that's symmetric nat)

 

How could I configure pan to make nat port restricted (at least for my private ip and for a couple of address of my stun server provider)?

 

Thanks

1 accepted solution

Accepted Solutions

L2 Linker

There was a session that needs to be cleared before retrying, now it's working.

Thanks

 

N.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

is the application being identified properly as stun?

have you tried disabling ALG on the app-id ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

The application is identified as stun. In addition, I've done an application override to customize udp timeout but with no results

I've disabled alg in sip but there's no sip traffic, just stun

Thanks

L2 Linker

There was a session that needs to be cleared before retrying, now it's working.

Thanks

 

N.

  • 1 accepted solution
  • 3077 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!