Re: Palo Alto/Xbox/"Strict NAT"

["Howard, Christopher" <Christopher-Howard () UTC EDU>]

I've never done static NATs for the game consoles.  They just grab an outside IP from the pool.  If they end up with a 
1-1 NAT, they get moderate results.  If the pool happens to be full and they end up in the PAT overflow, they get 
strict results.

With 700+ game consoles registered in our NAC, there's no way I'm setting up static NATs for each one. :)

Christopher Howard
Senior Network Engineer
University of Tennessee at Chattanooga

Helping Students Achieve Excellence through Technology

christopher-howard () utc edu
423-425-1773


From: John Ladwig <John.Ladwig () SO MNSCU EDU<mailto:John.Ladwig () SO MNSCU EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Thursday, January 29, 2015 at 11:52 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Palo Alto/Xbox/"Strict NAT"

It’s called “static” NAT – 172.16.. on the outside, 10.0.. on the inside:

ASA Version 9.1(5) <context>

object network tl-bsd4
 host 10.0.3.200
object network tl-bsd6
 host 2607:f930:1f80:c000::200
object-group network TL-BSD-ALL
 description Combined v4/v6 object
 network-object object tl-bsd4
 network-object object tl-bsd6

access-list INBOUND extended permit tcp any object-group TL-BSD-ALL eq ssh

object network tl-bsd4
 nat (Inside,Outside) static 172.16.240.22


You still need to write ACLs to permit the traffic through.

   -jml

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis 
Bohn
Sent: Thursday, January 29, 2015 10:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Palo Alto/Xbox/"Strict NAT"

Hello,
I was under the impression that all ASAs did only strict nat.  Is there some special configuration to enable so-called 
Moderate Nat?  We generally have done many-to-one nat (Cisco-speak PAT or Port Address Translation) which is clearly a 
strict nat.  I am surprised to hear that with a one-to-one translation the firewall would pass inbound traffic that 
does not have a precise ip_address_and_port outbound tuple.  Is this a setting or an access-list configuration?  I have 
been googling for a precise description of "moderate NAT" and this is what I have come up with from some site called 
serverfault.com<http://serverfault.com>:
"Moderate NAT is a mixture, where your router will accept any traffic from any port, but only from the samehost" , 
presumably from the same host to which an outbound connection was made.
(http://serverfault.com/questions/208522/what-is-strict-moderate-and-open-nat)

So, are you saying that an ASA will do that by default with a one-to-one nat translation?

Thanks,
dennis

Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn () adelphi edu<mailto:bohn () adelphi edu>
5168773327

On Mon, Jan 26, 2015 at 4:36 PM, Howard, Christopher <Christopher-Howard () utc edu<mailto:Christopher-Howard () utc 
edu>> wrote:
We are using ASAs here still, but have started to run into the strict NAT type.  We used to have enough external IP 
space that we could give everyone a 1-1 NAT mapping, even though the address they received was dynamic.  However, we 
are no longer able to do that.  The users that get on at the right time and happen to get a single NAT to themselves 
are fine, but if they end up in the overflow IP then they start getting the strict type.

As far as I know, the only solution is 1-1 NATs.  If there's something else, I would certainly love to know about it.

Christopher Howard
Senior Network Engineer
University of Tennessee at Chattanooga

Helping Students Achieve Excellence through Technology

christopher-howard () utc edu<mailto:christopher-howard () utc edu>
423-425-1773<tel:423-425-1773>


From: <Tornoe>, "Eric J." <EJTORNOE () STTHOMAS EDU<mailto:EJTORNOE () STTHOMAS EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Monday, January 26, 2015 at 3:51 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Palo Alto/Xbox/"Strict NAT"

Hi all,

We recently implemented a Palo Alto 5060 NGFW. We also transferred NAT to this device. We are now finding that we are 
having trouble with game consoles and games that use UPnP. In Microsoft terms our NAT is now “Strict”, whereas before 
(using Cisco ASA) it was termed “Moderate”.

Palo Alto acknowledges this issue and offers a solution- 1-1 NAT mapping- but this is not an ideal solution for us. 
They also spoke of using DIP (Dynamic IP)  instead of DIPP (Dynamic IP and Port) but this is not a simple solution in 
the short term.

I know there are a lot of other Palo schools out there so my questions are: Is this an issue for you? If so, how are 
you handling this? 1-1 mapping? Not using NAT? etc.

Thanks,

Eric


Eric J. Tornoe
Manager, Operations and Technical Support
Information Resources and Technologies
University of St. Thomas
2115 Summit Avenue
St. Paul, Minnesota 55105
Mail Location: 5046 Office: AQU LL13G
Phone: 651.962.6217<tel:651.962.6217>