Re: Palo Alto/Xbox/"Strict NAT"

["Kapucu, Ali" <akapucu () KENT EDU>]

We had lots of issues with NAT on game consoles so we move all gaming consoles to public ip and block campus access 
from these subnets.


--
Ali Kapucu | CCNP Route & Switch, CCNA Wireless, CCNA Security, Security+, MCP
Sr. Security Engineer | Kent State University | Security & Access Management
Work: 330-672-4873 | Cell: 330-389-4873 | E-mail: akapucu () kent edu
PGP Public Key: http://www.personal.kent.edu/~akapucu/ali-kapucu.asc
PGP Finger Print: 8C74 F95A 7B08 641A A1AD 9AF3 CDA3 1F70 0F5C C221
________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Tornoe, Eric J. 
<EJTORNOE () STTHOMAS EDU>
Sent: Monday, January 26, 2015 3:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Palo Alto/Xbox/"Strict NAT"

Hi all,

We recently implemented a Palo Alto 5060 NGFW. We also transferred NAT to this device. We are now finding that we are 
having trouble with game consoles and games that use UPnP. In Microsoft terms our NAT is now "Strict", whereas before 
(using Cisco ASA) it was termed "Moderate".

Palo Alto acknowledges this issue and offers a solution- 1-1 NAT mapping- but this is not an ideal solution for us. 
They also spoke of using DIP (Dynamic IP)  instead of DIPP (Dynamic IP and Port) but this is not a simple solution in 
the short term.

I know there are a lot of other Palo schools out there so my questions are: Is this an issue for you? If so, how are 
you handling this? 1-1 mapping? Not using NAT? etc.

Thanks,

Eric


Eric J. Tornoe
Manager, Operations and Technical Support
Information Resources and Technologies
University of St. Thomas
2115 Summit Avenue
St. Paul, Minnesota 55105
Mail Location: 5046 Office: AQU LL13G
Phone: 651.962.6217