06-29-2014 03:58 PM
I know that this topic has been discussed before, but I cannot seem to find an exact scenario match since I am dealing with a dynamic public IP address.
Interfaces
ethernet1/1
ethernet1/2
ethernet1/3
Security Policies
NAT Policies
Internal and Xbox zones are able to browse the Internet without any issues; however, the Xbox reports the NAT type as Strict which causes Xbox Live to not function properly. Given the fact that I have only a single public IP address for all traffic (which is also dynamic and not static), how do I go about allowing the necessary ports through to the Xbox?
Ports in question: Xbox Network Ports | Xbox 360 Network Ports | Xbox Live Network Ports
Thank you in advance!
Steven
06-29-2014 10:56 PM
Hello Swoods,
I hope this KB doc will help you: Palo Alto Networks Firewalls & Xbox360 - Strict NAT
Thanks
06-29-2014 11:34 PM
Hello Swoods,
Could you please give us an explanation about "NAT type as Strict which causes Xbox Live to not function properly" in details. Also, please let us know, what application you have set in the security policy.
Thanks
06-30-2014 04:59 AM
The user supplied solution that Hulk shows only works if you can configure static nat. Obviously that is not an option in your case where you have a dynamic ISP and only the one address available.
I would start by taking the xbox off the existing outbound policy and give it on without any url filtering or inspection at all. Then see if that changes your Xbox live test status.
06-30-2014 06:49 AM
I've already tried this and it made no difference. I need to define the NAT policy but the nature of having a dynamic IP for the external connection is confusing me.
I did find this document: https://live.paloaltonetworks.com/docs/DOC-3095
Does this mean that the only option would be to use a dynamic DNS host and then refer to the FQDN?
06-30-2014 09:30 AM
Hi Steven,
Xbox Live generally requires several ports to be forwarded directly to the system if you can't use UPnP. Since the Palo Alto Networks firewalls drop UPnP traffic, you're limited to opening the ports that the Xbox wants. Those ports should be (Source: Xbox.com Forums😞
Try creating a NAT rule for those six ports to forward to the Xbox. You will need to set up a DynDNS unless you want to track your dynamic IP and update it whenever your ISP changes it. If you have a cable modem or DSL, often times the IP stays the same unless the modem is unplugged for a few days. The lease on a lot of the major US ISPs tends to be about 3 days, but your mileage may vary.
Good luck!
Greg
06-30-2014 10:00 AM
This would be a destination NAT correct?
06-30-2014 10:29 AM
Correct. You need to do D-NAT for those ports on your public IP (or DynDNS name) to the Xbox.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
