Educause Security Discussion mailing list archives
Re: Palo Alto/Xbox/"Strict NAT"
From: "Howard, Christopher" <Christopher-Howard () UTC EDU>
Date: Thu, 29 Jan 2015 16:58:15 +0000
I've never done static NATs for the game consoles. They just grab an outside IP from the pool. If they end up with a 1-1 NAT, they get moderate results. If the pool happens to be full and they end up in the PAT overflow, they get strict results. With 700+ game consoles registered in our NAC, there's no way I'm setting up static NATs for each one. :) Christopher Howard Senior Network Engineer University of Tennessee at Chattanooga Helping Students Achieve Excellence through Technology christopher-howard () utc edu 423-425-1773 From: John Ladwig <John.Ladwig () SO MNSCU EDU<mailto:John.Ladwig () SO MNSCU EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Thursday, January 29, 2015 at 11:52 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Palo Alto/Xbox/"Strict NAT" It’s called “static” NAT – 172.16.. on the outside, 10.0.. on the inside: ASA Version 9.1(5) <context> object network tl-bsd4 host 10.0.3.200 object network tl-bsd6 host 2607:f930:1f80:c000::200 object-group network TL-BSD-ALL description Combined v4/v6 object network-object object tl-bsd4 network-object object tl-bsd6 access-list INBOUND extended permit tcp any object-group TL-BSD-ALL eq ssh object network tl-bsd4 nat (Inside,Outside) static 172.16.240.22 You still need to write ACLs to permit the traffic through. -jml From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis Bohn Sent: Thursday, January 29, 2015 10:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Palo Alto/Xbox/"Strict NAT" Hello, I was under the impression that all ASAs did only strict nat. Is there some special configuration to enable so-called Moderate Nat? We generally have done many-to-one nat (Cisco-speak PAT or Port Address Translation) which is clearly a strict nat. I am surprised to hear that with a one-to-one translation the firewall would pass inbound traffic that does not have a precise ip_address_and_port outbound tuple. Is this a setting or an access-list configuration? I have been googling for a precise description of "moderate NAT" and this is what I have come up with from some site called serverfault.com<http://serverfault.com>: "Moderate NAT is a mixture, where your router will accept any traffic from any port, but only from the samehost" , presumably from the same host to which an outbound connection was made. (http://serverfault.com/questions/208522/what-is-strict-moderate-and-open-nat) So, are you saying that an ASA will do that by default with a one-to-one nat translation? Thanks, dennis Dennis Bohn Manager of Network and Systems Adelphi University bohn () adelphi edu<mailto:bohn () adelphi edu> 5168773327 On Mon, Jan 26, 2015 at 4:36 PM, Howard, Christopher <Christopher-Howard () utc edu<mailto:Christopher-Howard () utc edu>> wrote: We are using ASAs here still, but have started to run into the strict NAT type. We used to have enough external IP space that we could give everyone a 1-1 NAT mapping, even though the address they received was dynamic. However, we are no longer able to do that. The users that get on at the right time and happen to get a single NAT to themselves are fine, but if they end up in the overflow IP then they start getting the strict type. As far as I know, the only solution is 1-1 NATs. If there's something else, I would certainly love to know about it. Christopher Howard Senior Network Engineer University of Tennessee at Chattanooga Helping Students Achieve Excellence through Technology christopher-howard () utc edu<mailto:christopher-howard () utc edu> 423-425-1773<tel:423-425-1773> From: <Tornoe>, "Eric J." <EJTORNOE () STTHOMAS EDU<mailto:EJTORNOE () STTHOMAS EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Monday, January 26, 2015 at 3:51 PM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] Palo Alto/Xbox/"Strict NAT" Hi all, We recently implemented a Palo Alto 5060 NGFW. We also transferred NAT to this device. We are now finding that we are having trouble with game consoles and games that use UPnP. In Microsoft terms our NAT is now “Strict”, whereas before (using Cisco ASA) it was termed “Moderate”. Palo Alto acknowledges this issue and offers a solution- 1-1 NAT mapping- but this is not an ideal solution for us. They also spoke of using DIP (Dynamic IP) instead of DIPP (Dynamic IP and Port) but this is not a simple solution in the short term. I know there are a lot of other Palo schools out there so my questions are: Is this an issue for you? If so, how are you handling this? 1-1 mapping? Not using NAT? etc. Thanks, Eric Eric J. Tornoe Manager, Operations and Technical Support Information Resources and Technologies University of St. Thomas 2115 Summit Avenue St. Paul, Minnesota 55105 Mail Location: 5046 Office: AQU LL13G Phone: 651.962.6217<tel:651.962.6217>
Current thread:
- Palo Alto/Xbox/"Strict NAT" Tornoe, Eric J. (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Kapucu, Ali (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Kumar, Shashank (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Tornoe, Eric J. (Jan 27)
- Re: Palo Alto/Xbox/"Strict NAT" Kumar, Shashank (Jan 26)
- <Possible follow-ups>
- Re: Palo Alto/Xbox/"Strict NAT" Howard, Christopher (Jan 26)
- Re: Palo Alto/Xbox/"Strict NAT" Dennis Bohn (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" John Ladwig (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" Howard, Christopher (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" Dennis Bohn (Jan 29)
- Re: Palo Alto/Xbox/"Strict NAT" Kapucu, Ali (Jan 26)