Nat type 2 , type 3 with playstation and xbox

For all of the functions on a PS3 or XBOX to work properly it is expecting to have ports open to incoming traffic from the Internet.  Here is a good article on the different types of NAT for the PS3 NAT Type 2 Tutorial - PlayStation® Community Forums.  On home routers this is addressed by utilizing UPnP or setting up the device on the DMZ.  You could achieve this on the Palo Alto but it could be a nightmare for management.  Basically you would have to assign static addresses to the gaming devices and them create individual NAT policies for each one (each one requiring a public IP address) and allowing inbound connections to those devices on the ports specified.

See this thread from last year.  They basically created a public vlan for the xbox ports to connect and get a direct address on the internet.

This is really hard to swallow that companies like Sony and MS can build networks that don't work with standard internet nat.

Re: XBOX Live

But I also wonder why Palo Alto can't write an app-id to cover this behavior in some way.  Surely they have enough academic clients with piles of these game systems in the dorm that would use the solution.

Hello noore.ghunaym,

Looking at applipedia gives us that the below gaming apps are available,

If the security rule does not have xbox-live it has to be added for the Pan to process traffic. Now considering the NAT question in regards to PS4 or Xbox one and so on they need open ports, static IP and so on per the above docs. Ideally once the application is defined in the security rule PAN would start to open the ports needed while inspecting the APP. Some applications may have a necessity to open dynamic ports and there may be a need to open predict sessions and analyse the ports and open the ports. If there is a change in the xbox behavior or the way they work or they open certain new ports or so we may need to share the scenario with the PAN support so that the app is enhanced.

Per the Xbox Network Ports | Xbox 360 Network Ports | Xbox Live Network Ports - Xbox.com looks like Kinect has a different port number which is not part of the xbox-live.

Thanks

I would recommend that you contact your Sales Engineer and have him open feature request.  All of the ideas above seem plausible and doable.

After doing research on how the game systems work and what the consoles are looking for I was able to find a fix. I would like to thank all of you for your responses and being so helpful.

dynamic-ip-and-port NAT was the problem. when this type of NAT is used every connection the game console sends out gets a different ip and port. This will not work because the way the consoles communicate is via UDP and they expect to use the same ip and udp port for 2 way communication. dynamic ip and port on PA seems to rotate the ports and ip aggressively. But on a cisco ASA it seems to use the same ip and ports per source ip as long as the connections stay active. Basically cisco ASA does not rotate the ports and ips as aggressively and attempts to maintain the same ports the client used to for udp communication. Keep in mind I am using dynamic NAT on the cisco ASA meaning I am using a pool of ip addresses.

I am a heavy user of BSD and linux so after reading that on bsd and linux firewalls you must have the static-port option enabled. I did some thinking and changed the NAT rule to STATIC. I was able to get away with this because our ISP allocates me a /20. I do not think having a /20 helped in any way because I have known of people who have had 10+ console on a single ip and it worked but I did it anyway because I had it available to me. I plan in the near future of just doing away with NAT and doing direct IP assignment.

Here is the FIX that worked for me without special VLANS or opening ports manually or assigning IP addresses directly to clients. I put this into production 24 hours ago and students are reporting they are able to use playstation and xbox consoles now showing nat type 2 and moderate when running connection tests. They also have 2 way voice communication now when playing inside of the games.

Changed NAT from dynamic to static. I assign internal /24 ranges to our LAN network in the buildings so I also assigned a /24 public ip address pool. I also made sure bi-directional was set to yes

Step 2 created a application filter called Game Consoles - I know this was over kill but it included xbox-live and playstation-network.

Step 3 - Create the security rule using the Application Filter and disabled server response inspection

Step 4 - Cleared the NAT tables via SSH

Made a few phone calls to the students and asked them to test the connections and I could tell by the OMG it says type 2 ( playstation users ) and for xbox users it says moderate now instead of strict.

They logged into a few different games and all reports it was working without lag and they were able to communicate via the headsets.

I hope this helps people in the future.

Did you have to use a different Public IP for each of your NAT rules?

If it was just down to the PA changing the NAT mappings too frequently; you may have been able to get away with mapping all these connections to a custom application definition with a much higher timeout on the UDP field that normal - e.g, an hour.

How would you go about doing that?

I can confirm the solution of noore.ghunaym works.
In my case I have 1 dynamic IP on the untrust interface.
I placed the static NAT rule above the general hide NAT rule. Also, I had to enter the current official IP hardcoded in the Source-translation field  (translated packet tab), since you can only enter a fixed IP or an address object referring to a fixed IP here. (It's not possible to select an object referring to a FQDN here).