Educause Security Discussion mailing list archives
Re: Palo Alto/Xbox/"Strict NAT"
From: "Howard, Christopher" <Christopher-Howard () UTC EDU>
Date: Mon, 26 Jan 2015 21:36:48 +0000
We are using ASAs here still, but have started to run into the strict NAT type. We used to have enough external IP space that we could give everyone a 1-1 NAT mapping, even though the address they received was dynamic. However, we are no longer able to do that. The users that get on at the right time and happen to get a single NAT to themselves are fine, but if they end up in the overflow IP then they start getting the strict type. As far as I know, the only solution is 1-1 NATs. If there's something else, I would certainly love to know about it. Christopher Howard Senior Network Engineer University of Tennessee at Chattanooga Helping Students Achieve Excellence through Technology christopher-howard () utc edu 423-425-1773 From: <Tornoe>, "Eric J." <EJTORNOE () STTHOMAS EDU<mailto:EJTORNOE () STTHOMAS EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Monday, January 26, 2015 at 3:51 PM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] Palo Alto/Xbox/"Strict NAT" Hi all, We recently implemented a Palo Alto 5060 NGFW. We also transferred NAT to this device. We are now finding that we are having trouble with game consoles and games that use UPnP. In Microsoft terms our NAT is now “Strict”, whereas before (using Cisco ASA) it was termed “Moderate”. Palo Alto acknowledges this issue and offers a solution- 1-1 NAT mapping- but this is not an ideal solution for us. They also spoke of using DIP (Dynamic IP) instead of DIPP (Dynamic IP and Port) but this is not a simple solution in the short term. I know there are a lot of other Palo schools out there so my questions are: Is this an issue for you? If so, how are you handling this? 1-1 mapping? Not using NAT? etc. Thanks, Eric Eric J. Tornoe Manager, Operations and Technical Support Information Resources and Technologies University of St. Thomas 2115 Summit Avenue St. Paul, Minnesota 55105 Mail Location: 5046 Office: AQU LL13G Phone: 651.962.6217
Current thread:
- Palo Alto/Xbox/"Strict NAT" Tornoe, Eric J. (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Kapucu, Ali (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Kumar, Shashank (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Tornoe, Eric J. (Jan 27)
- Re: Palo Alto/Xbox/"Strict NAT" Kumar, Shashank (Jan 26)
- <Possible follow-ups>
- Re: Palo Alto/Xbox/"Strict NAT" Howard, Christopher (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Dennis Bohn (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" John Ladwig (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" Howard, Christopher (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" Dennis Bohn (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" Kapucu, Ali (Jan 26)