02-04-2014 11:29 AM
Hello Everyone,
I have a problem with NAT that my end users are reporting that I have not been able to get to the bottom of. I am the administrator of a large University and have multiple buildings for on site housing. 2-3k students live on site. Everything production wise is working fine but I keep having repeat tickets from students asking me to fix the nat type so that they can use playstations and xbox from their dorm rooms. I have been playing with the nat rules but have been unable to get them to change from nat type 3 to 2. I am needing some advise on the issue. It is a very simple setup when dealing with our nat. We source nat our users to a pool of IPs and I have included a screenshot.
Here is my security policy for the game consoles
I moved a few of the the game users to our Cisco ASA and they go type 2 with no problems but I can not leave them on our asa. it was for testing mainly to see if the PA was the problem.
This is the issue my end users are telling me they would like us to fix.
PS3™ | Internet Connection Test
http://netnix.org/2011/09/06/understanding-ps3-nat/
Anybody else ran into this problem or know what could be the issue because I am not seeing anything that should be making the systems report type 3.
11-18-2022 12:27 PM
After getting a notification of the release of PANOS 11 I came across the "Persistent NAT for DIPP" feature. Apparently this feature was introduced in 10.1.7. Unfortunately my hardware doesn't support newer PANOS, but this sounds like it could be a solution that produces behavior that is very similar to how Cisco ASA handles traffic. Has anyone has a chance to try this out?
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/networking-features/persistent-nat...
11-18-2022 01:35 PM
I can't say I've tried it yet. We're still using a two other solutions... one is just to use standard DIP in a small lab and the other is to assign gaming clients with public IP addresses. They're still blocked on the firewall for incoming connections from the Internet but they don't have to NAT.
This is definitely something I'd be interested in hearing from others on their experiences with it and also what the game consoles and associated games may end up showing as NAT Type with multiplayer performance.
11-20-2022 10:24 AM - edited 11-20-2022 11:34 AM
After reading these recent replies I installed10.1.7 on my 440. I got the same behavior, PS4 NAT type 3 with DIPP, and back to NAT type 2 when I re-enabled the static NAT.
Edit: I googled this and didn't realize it had to be specifically enabled through the CLI, I just thought it was automatic. I'll test again shortly.
Second Edit: It worked! I noticed that for VM & single DP firewalls this was first enabled in 10.1.6, and 10.1.7 for all firewalls, so I enabled persistant-dipp and downgraded back to what I was running (10.1.6-h6). In the configuration page where I found the CLI command I also noticed the wording "it applies to all NAT and NAT64 rules subsequently configured"
So I cloned my previously configured NAT and deleted the original and got NAT type 2 on the PS4.
Without the bi-directional static I needed to also re-enable the NAT's I was using for port-forwarding. These were no longer working, so again I cloned them and deleted the originals and then they worked again. So if you enable this setting, I think you really do have to re-create any existing NAT's for it to properly apply as they need to be subsequently configured.
07-31-2023 11:24 AM
This fixed the issue for me. I'm getting NAT Type 2 on all my tests for several different consoles now. I didn't have to redo any NAT policies to make it work after I enter the CLI snippet from the article. Thanks!!!
08-08-2023 01:08 PM
Very interesting, wonder if it's some weird glitch I'm hitting on mine. Every time I do a software update on my 440, I still have to commit a NAT change (I enable & disable, or disable & enable a rule and commit so I'm not actually making any changes) and then my inbounds start working again. Glad to hear it's working 100% for some!
08-08-2023 01:16 PM
This has alleviated so many concerns for me for this upcoming semester. Thanks for testing and posting about it, else I wouldn’t have tried it! I’m using a pair of 5220’s on code 10.1.10, so not sure if that makes any difference.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
