Nat type 2 , type 3 with playstation and xbox

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Nat type 2 , type 3 with playstation and xbox

L1 Bithead

Hello Everyone,

I have a problem with NAT that my end users are reporting that I have not been able to get to the bottom of. I am the administrator of a large University  and have multiple buildings for on site housing. 2-3k students live on site. Everything production wise is working fine but I keep having repeat tickets from students asking me to fix the nat type so that they can use playstations and xbox from their dorm rooms. I have been playing with the nat rules but have been unable to get them to change from nat type 3 to 2. I am needing some advise on the issue. It is a very simple setup when dealing with our nat. We source nat our users to a pool of IPs and I have included a screenshot.

paloalto.JPG.jpg

Here is my security policy for the game consoles

paloalto2.JPG.jpg

I moved a few of the the game users to our Cisco ASA and they go type 2 with no problems but I can not leave them on our asa. it was for testing mainly to see if the PA was the problem.

This is the issue my end users are telling me they would like us to fix.

PS3™ | Internet Connection Test

http://netnix.org/2011/09/06/understanding-ps3-nat/

Anybody else ran into this problem or know what could be the issue because I am not seeing anything that should be making the systems report type 3.

35 REPLIES 35

After getting a notification of the release of PANOS 11 I came across the "Persistent NAT for DIPP" feature.  Apparently this feature was introduced in 10.1.7.  Unfortunately my hardware doesn't support newer PANOS, but this sounds like it could be a solution that produces behavior that is very similar to how Cisco ASA handles traffic.  Has anyone has a chance to try this out?

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/networking-features/persistent-nat...

I can't say I've tried it yet.  We're still using a two other solutions... one is just to use standard DIP in a small lab and the other is to assign gaming clients with public IP addresses.  They're still blocked on the firewall for incoming connections from the Internet but they don't have to NAT.

 

This is definitely something I'd be interested in hearing from others on their experiences with it and also what the game consoles and associated games may end up showing as NAT Type with multiplayer performance.

After reading these recent replies I installed10.1.7 on my 440.  I got the same behavior, PS4 NAT type 3 with DIPP, and back to NAT type 2 when I re-enabled the static NAT.

 

Edit: I googled this and didn't realize it had to be specifically enabled through the CLI, I just thought it was automatic.  I'll test again shortly.

 

Second Edit: It worked!  I noticed that for VM & single DP firewalls this was first enabled in 10.1.6, and 10.1.7 for all firewalls, so I enabled persistant-dipp and downgraded back to what I was running (10.1.6-h6).  In the configuration page where I found the CLI command I also noticed the wording "it applies to all NAT and NAT64 rules subsequently configured"

 

So I cloned my previously configured NAT and deleted the original and got NAT type 2 on the PS4.

 

Without the bi-directional static I needed to also re-enable the NAT's I was using for port-forwarding.  These were no longer working, so again I cloned them and deleted the originals and then they worked again.  So if you enable this setting, I think you really do have to re-create any existing NAT's for it to properly apply as they need to be subsequently configured.

This fixed the issue for me. I'm getting NAT Type 2 on all my tests for several different consoles now. I didn't have to redo any NAT policies to make it work after I enter the CLI snippet from the article. Thanks!!!

Very interesting, wonder if it's some weird glitch I'm hitting on mine.  Every time I do a software update on my 440, I still have to commit a NAT change (I enable & disable, or disable & enable a rule and commit so I'm not actually making any changes) and then my inbounds start working again. Glad to hear it's working 100% for some!

This has alleviated so many concerns for me for this upcoming semester. Thanks for testing and posting about it, else I wouldn’t have tried it! I’m using a pair of 5220’s on code 10.1.10, so not sure if that makes any difference. 

  • 27299 Views
  • 35 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!