Re: Palo Alto/Xbox/"Strict NAT"

[Dennis Bohn <bohn () ADELPHI EDU>]

Hello,
I was under the impression that all ASAs did only strict nat.  Is there
some special configuration to enable so-called Moderate Nat?  We generally
have done many-to-one nat (Cisco-speak PAT or Port Address Translation)
which is clearly a strict nat.  I am surprised to hear that with a
one-to-one translation the firewall would pass inbound traffic that does
not have a precise ip_address_and_port outbound tuple.  Is this a setting
or an access-list configuration?  I have been googling for a precise
description of "moderate NAT" and this is what I have come up with from
some site called serverfault.com:
"Moderate NAT is a mixture, where your router will accept any traffic from
any *port*, but only from the same*host" , *presumably from the same host
to which an outbound connection was made.
(
http://serverfault.com/questions/208522/what-is-strict-moderate-and-open-nat
)

So, are you saying that an ASA will do that by default with a one-to-one
nat translation?

Thanks,
dennis

Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn () adelphi edu
5168773327

On Mon, Jan 26, 2015 at 4:36 PM, Howard, Christopher <
Christopher-Howard () utc edu> wrote:

>   We are using ASAs here still, but have started to run into the strict
> NAT type.  We used to have enough external IP space that we could give
> everyone a 1-1 NAT mapping, even though the address they received was
> dynamic.  However, we are no longer able to do that.  The users that get on
> at the right time and happen to get a single NAT to themselves are fine,
> but if they end up in the overflow IP then they start getting the strict
> type.
>
>  As far as I know, the only solution is 1-1 NATs.  If there's something
> else, I would certainly love to know about it.
>
>
>  *Christopher Howard*
> Senior Network Engineer
>
> University of Tennessee at Chattanooga
>
>
>  *Helping Students Achieve Excellence through Technology*
>
>
>  christopher-howard () utc edu
>
> 423-425-1773
>
>
>   From: <Tornoe>, "Eric J." <EJTORNOE () STTHOMAS EDU>
> Reply-To: The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Monday, January 26, 2015 at 3:51 PM
> To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] Palo Alto/Xbox/"Strict NAT"
>
>   Hi all,
>
>
>
> We recently implemented a Palo Alto 5060 NGFW. We also transferred NAT to
> this device. We are now finding that we are having trouble with game
> consoles and games that use UPnP. In Microsoft terms our NAT is now
> “Strict”, whereas before (using Cisco ASA) it was termed “Moderate”.
>
>
>
> Palo Alto acknowledges this issue and offers a solution- 1-1 NAT mapping-
> but this is not an ideal solution for us. They also spoke of using DIP
> (Dynamic IP)  instead of DIPP (Dynamic IP and Port) but this is not a
> simple solution in the short term.
>
>
>
> I know there are a lot of other Palo schools out there so my questions
> are: Is this an issue for you? If so, how are you handling this? 1-1
> mapping? Not using NAT? etc.
>
>
>
> Thanks,
>
>
>
> Eric
>
>
>
>
>
> Eric J. Tornoe
> Manager, Operations and Technical Support
> Information Resources and Technologies
> University of St. Thomas
> 2115 Summit Avenue
> St. Paul, Minnesota 55105
> Mail Location: 5046 Office: AQU LL13G
> Phone: 651.962.6217