Educause Security Discussion mailing list archives
Re: Palo Alto/Xbox/"Strict NAT"
From: "Kumar, Shashank" <skumar () FGCU EDU>
Date: Mon, 26 Jan 2015 22:51:33 +0000
Hi Eric, For game consoles, we have a 1-to-1 nat. PCs get natted to IPs from a dip pool. We have dip sticky enabled (same ip for multiple concurrent sessions) and PC games like Wow and elder scrolls online, etc all work good. Setting dip sticky was a one line command on our firewall. Upnp is supported by our firewall and im not sure any enterprise firewall would support it. Hope this helps. Shashank -------- Original message -------- From: "Kapucu, Ali" <akapucu () KENT EDU> Date: 01/26/2015 5:09 PM (GMT-05:00) To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Palo Alto/Xbox/"Strict NAT" We had lots of issues with NAT on game consoles so we move all gaming consoles to public ip and block campus access from these subnets. -- Ali Kapucu | CCNP Route & Switch, CCNA Wireless, CCNA Security, Security+, MCP Sr. Security Engineer | Kent State University | Security & Access Management Work: 330-672-4873 | Cell: 330-389-4873 | E-mail: akapucu () kent edu PGP Public Key: http://www.personal.kent.edu/~akapucu/ali-kapucu.asc PGP Finger Print: 8C74 F95A 7B08 641A A1AD 9AF3 CDA3 1F70 0F5C C221 ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Tornoe, Eric J. <EJTORNOE () STTHOMAS EDU> Sent: Monday, January 26, 2015 3:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Palo Alto/Xbox/"Strict NAT" Hi all, We recently implemented a Palo Alto 5060 NGFW. We also transferred NAT to this device. We are now finding that we are having trouble with game consoles and games that use UPnP. In Microsoft terms our NAT is now “Strict”, whereas before (using Cisco ASA) it was termed “Moderate”. Palo Alto acknowledges this issue and offers a solution- 1-1 NAT mapping- but this is not an ideal solution for us. They also spoke of using DIP (Dynamic IP) instead of DIPP (Dynamic IP and Port) but this is not a simple solution in the short term. I know there are a lot of other Palo schools out there so my questions are: Is this an issue for you? If so, how are you handling this? 1-1 mapping? Not using NAT? etc. Thanks, Eric Eric J. Tornoe Manager, Operations and Technical Support Information Resources and Technologies University of St. Thomas 2115 Summit Avenue St. Paul, Minnesota 55105 Mail Location: 5046 Office: AQU LL13G Phone: 651.962.6217 ________________________________ Never give out your username or password to anyone. This includes any accounts you have such as: FGCU, bank and credit card accounts, and other personal accounts.
Current thread:
- Palo Alto/Xbox/"Strict NAT" Tornoe, Eric J. (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Kapucu, Ali (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Kumar, Shashank (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Tornoe, Eric J. (Jan 27)
- Re: Palo Alto/Xbox/"Strict NAT" Kumar, Shashank (Jan 26)
- <Possible follow-ups>
- Re: Palo Alto/Xbox/"Strict NAT" Howard, Christopher (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Dennis Bohn (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" John Ladwig (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" Howard, Christopher (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" Dennis Bohn (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" Kapucu, Ali (Jan 26)