Gaming PCs and Consoles with DIPP NAT

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Gaming PCs and Consoles with DIPP NAT

L4 Transporter

Hi all,


I've been researching this for a while now and I've also opened a case on the issue.  Basically we just moved off of our Cisco ASA platform and on to our Palo Alto and I've run into a snag with gaming devices.  We're a university with quite a few on-campus students and they understandably want to be able to use their entertainment devices on the network.  This all seemed to work fine with the ASA... each building had a single public IP address for NAT and the ASA used Port Address Translation and the gaming devices showed they were behind a "Type 2" or "Moderate" NAT.


My new config is an Active/Active deployment and I've set up four public IP addresses for each building using DIPP.  Gaming devices, as well as some PC game and voice applications, now show they're behing a "Type 3" or "Strict" NAT.  Certain game and voice functionality will not work in this environment.


I know Palo Alto's first suggestion is Static NAT which is a bit problematic when we're talking about hundreds of devices.  Sure, it's possible but it's a bit of a management headache.  I'd love to just give them all public IPs and move away from NAT but we simply don't have enough IPv4.


I'm curious how others have resolved this?


Cyber Elite
Cyber Elite

you might want to give dynamic IP a shot (sans port)


this method maintains the original source port of the client, which comes in handy with gaming consoles

it may a bit more demanding on your pool, but if you have 4 IP's that should help (you can always oversubscribe a little AND there's a dipp backup) : Tutorial: Network Address Translation



can I ask for the reason Active/Active is being used? (it's only really good to 'fix' asymmetric routing, for all other scenarios it usually simply decreases capacity and increases complexity)

Tom Piens
PANgurus - (co)managed services and consultancy

Cyber Elite
Cyber Elite

Having setup housing networks with PA devices I've always setup different floors with one public IP address a piece, obviously this would need to be modified to fit what you are allocated, and then setting them up with a dynamic-ip-and-port policy to match there network range. This would be even easier if you do things on a per building basis like you are, and I've never run into any issues with it at all. 


I would be curios to know why an active active configuration was used as well; some people when moving from an existing ASA active active configuration that just keep the same basic setup, even when it doesn't really make sense from a Palo Alto perspective. I would investigate if you actually need to be doing this, more than likely you don't and would benefit the same from an active passive configuration. 

Thanks for the reply so far guys.


The active/active deployment was originally chosen by our previous network admin and I continued on the deployment after they left.  We have dual-homed 10gig connectivity from our provider and our traffic can take either connection going out depending on the route.  We're not using even a single full 10gig connection yet so it probably doesn't really matter at this time but the idea was to have the capacity for the full 20gig use if needed down the line.  Of course if we have a failed piece of hardware at some point it may result in degraded service but probably only if we're utilizing over 10gig of bandwidth at that time.  So far everything seems OK with the deployment other than that the way I'm currently advertising our NAT IP addresses are just an OSPF export rule facing our edge router so each firewall sees a route to the other one.   This hasn't seemed to effect incoming traffic though.


I've been testing with my PS4 and, so far, the only way I've gotten a Type 2 is to set it's NAT to a Dynamic IP pool.  The DIPP pool gives it Type 3 Strict every time.  The current rule I'm testing is a reserved DHCP address for the PS4 and it is NATed with a DIPP pool of a single public IP.  Even with this I'm getting Type 3.


BPry, if you've gotten this to work with DIPP is the thought that it might be something to do with the Active/Active?  My DIPP NAT rules are configured with the same 4 IP addresses for each PAN box for complete failover (i.e. no dropped incoming packets in case of a single firewall outage since both firewalls have the same NAT rules with all of the 4 IPs per building).


I've been thinking that our UDP session timeout on the ASA was modified to be much longer than the default on the PAN boxes (30 seconds) or that perhaps Cisco's implementation of PAT was a bit more sticky a far as what ports each device got each time it established a new session.


I don't believe this is a UDP timeout problem... this is likely an Application-Layer Gateway issue.  In order to excape from the most restrictive NAT modes, most of gaming consoles require that the NAT device support UPNP or be configured with static NAT.    


The main problem is that UPNP is an extremely insecure protocol and is not supported today by Palo Alto Networks firewalls.  This is a good thing(tm), generally speaking, as the environment is more secure... but can be somewhat problematic for users in  your type of environment.   


Have you had this problem with XBox?  My understanding is that Palo Alto Networks modified the "teredo" App-ID (which is required for the XBox-Live App-ID to function properly) and added an Application-Layer Gateway (ALG) with the goal of making XBox-Live compatible with DIPP NAT.  


If XBox is working in moderate-NAT mode using standard DIPP NAT, then I'd open a feature request and/or Application request to have them do something similar for the Playstation-Network App-ID signature.  



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!