Xbox Live with dynamic public IP

Reply
L1 Bithead

Xbox Live with dynamic public IP

I know that this topic has been discussed before, but I cannot seem to find an exact scenario match since I am dealing with a dynamic public IP address.

Interfaces

ethernet1/1

  • Primary internal network
  • Default virtual router
  • 172.16.50.1/24
  • Zone: Internal

ethernet1/2

  • Public internet connection with dynamic IP address
  • Default virtual router
  • Zone: External

ethernet1/3

  • Secondary internal network dedicated to Xbox
  • Default virtual router
  • 172.16.51.1/24
  • Zone: Xbox
  • DHCP reservation in place for the Xbox at 172.16.51.2

Security Policies

  • Rule to allow traffic from Internal and Xbox zones to External zone.
    • Includes URL filtering, etc.
  • Rule to deny all other traffic.

NAT Policies

  • Single NAT policy defined as follows:
    • Original Packet
      • Source Zone: Internal, Xbox
      • Destination Zone: External
      • Destination Interface: ethernet1/2
      • Service: any
      • Source Address: any
      • Destination Address: any
    • Translation Packet
      • Translation Type: Dynamic IP and Port
      • Address Type: Interface Address
      • Interface: ethernet1/2

Internal and Xbox zones are able to browse the Internet without any issues; however, the Xbox reports the NAT type as Strict which causes Xbox Live to not function properly.  Given the fact that I have only a single public IP address for all traffic (which is also dynamic and not static), how do I go about allowing the necessary ports through to the Xbox?

Ports in question: Xbox Network Ports | Xbox 360 Network Ports | Xbox Live Network Ports

Thank you in advance!

Steven

L7 Applicator

Hello Swoods,


I hope this KB doc will help you: Palo Alto Networks Firewalls & Xbox360 - Strict NAT


Thanks

L7 Applicator

Hello Swoods,

Could you please give us an explanation about "NAT type as Strict which causes Xbox Live to not function properly" in details. Also, please let us know, what application you have set in the security policy.


Thanks

L7 Applicator

The user supplied solution that Hulk shows only works if you can configure static nat.  Obviously that is not an option in your case where you have a dynamic ISP and only the one address available.

I would start by taking the xbox off the existing outbound policy and give it on without any url filtering or inspection at all.  Then see if that changes your Xbox live test status.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L1 Bithead

I've already tried this and it made no difference.  I need to define the NAT policy but the nature of having a dynamic IP for the external connection is confusing me.

I did find this document: https://live.paloaltonetworks.com/docs/DOC-3095

Does this mean that the only option would be to use a dynamic DNS host and then refer to the FQDN?

L7 Applicator

Hi Steven,

Xbox Live generally requires several ports to be forwarded directly to the system if you can't use UPnP. Since the Palo Alto Networks firewalls drop UPnP traffic, you're limited to opening the ports that the Xbox wants. Those ports should be (Source: Xbox.com Forums):

  • UDP 53
  • TCP 53
  • TCP 80
  • UDP 88
  • UDP 3074
  • TCP 3074

Try creating a NAT rule for those six ports to forward to the Xbox. You will need to set up a DynDNS unless you want to track your dynamic IP and update it whenever your ISP changes it. If you have a cable modem or DSL, often times the IP stays the same unless the modem is unplugged for a few days. The lease on a lot of the major US ISPs tends to be about 3 days, but your mileage may vary.

Good luck!

Greg

L1 Bithead

This would be a destination NAT correct?

L7 Applicator

Correct. You need to do D-NAT for those ports on your public IP (or DynDNS name) to the Xbox.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!