This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Nat type 2 , type 3 with playstation and xbox

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Nat type 2 , type 3 with playstation and xbox

ASU-NetworkTeam
L1 Bithead

‎02-04-2014 11:29 AM

Hello Everyone,

I have a problem with NAT that my end users are reporting that I have not been able to get to the bottom of. I am the administrator of a large University  and have multiple buildings for on site housing. 2-3k students live on site. Everything production wise is working fine but I keep having repeat tickets from students asking me to fix the nat type so that they can use playstations and xbox from their dorm rooms. I have been playing with the nat rules but have been unable to get them to change from nat type 3 to 2. I am needing some advise on the issue. It is a very simple setup when dealing with our nat. We source nat our users to a pool of IPs and I have included a screenshot.

paloalto.JPG.jpg

Here is my security policy for the game consoles

paloalto2.JPG.jpg

I moved a few of the the game users to our Cisco ASA and they go type 2 with no problems but I can not leave them on our asa. it was for testing mainly to see if the PA was the problem.

This is the issue my end users are telling me they would like us to fix.

PS3™ | Internet Connection Test

http://netnix.org/2011/09/06/understanding-ps3-nat/

Anybody else ran into this problem or know what could be the issue because I am not seeing anything that should be making the systems report type 3.

32 REPLIES 32

JimS2
L3 Networker

‎02-05-2014 03:45 PM

For all of the functions on a PS3 or XBOX to work properly it is expecting to have ports open to incoming traffic from the Internet.  Here is a good article on the different types of NAT for the PS3 NAT Type 2 Tutorial - PlayStation® Community Forums.  On home routers this is addressed by utilizing UPnP or setting up the device on the DMZ.  You could achieve this on the Palo Alto but it could be a nightmare for management.  Basically you would have to assign static addresses to the gaming devices and them create individual NAT policies for each one (each one requiring a public IP address) and allowing inbound connections to those devices on the ports specified.

0 Likes Likes

pulukas
L7 Applicator

‎02-05-2014 03:56 PM

See this thread from last year.  They basically created a public vlan for the xbox ports to connect and get a direct address on the internet.

This is really hard to swallow that companies like Sony and MS can build networks that don't work with standard internet nat.

Re: XBOX Live

But I also wonder why Palo Alto can't write an app-id to cover this behavior in some way.  Surely they have enough academic clients with piles of these game systems in the dorm that would use the solution.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

Phoenix
L4 Transporter

‎02-06-2014 05:44 AM

Hello noore.ghunaym,

Looking at applipedia gives us that the below gaming apps are available,

gaming-apps.PNG.png

If the security rule does not have xbox-live it has to be added for the Pan to process traffic. Now considering the NAT question in regards to PS4 or Xbox one and so on they need open ports, static IP and so on per the above docs. Ideally once the application is defined in the security rule PAN would start to open the ports needed while inspecting the APP. Some applications may have a necessity to open dynamic ports and there may be a need to open predict sessions and analyse the ports and open the ports. If there is a change in the xbox behavior or the way they work or they open certain new ports or so we may need to share the scenario with the PAN support so that the app is enhanced.

Per the Xbox Network Ports | Xbox 360 Network Ports | Xbox Live Network Ports - Xbox.com looks like Kinect has a different port number which is not part of the xbox-live.

Thanks

0 Likes Likes

JimS2
L3 Networker

‎02-06-2014 07:36 AM

I would recommend that you contact your Sales Engineer and have him open feature request.  All of the ideas above seem plausible and doable.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks