SRX Services Gateway
Reply
Regular Visitor
noneil
Posts: 8
Registered: ‎06-02-2009
0

SRX210 and Port Forwarding for XBox and PS3 Help

Does anyone have a working configuration for a SRX210 or branch series JUNOS appliance that properly allows the necessary destination NAT for XBox Live and PSN online access?  I have searched and searched but am not having any luck in getting it working.  Currently I'm slinging an AX411n AP off to provide the wireless signal to both game consoles.

source {
    pool xbox-pool {
        address {
            10.200.20.105/32 to 10.200.20.106/32;
        }
        port no-translation;
    }
    rule-set office-to-untrust {
        from zone office;
        to zone untrust;
        rule xbox-nat {
            match {
                source-address 10.200.20.105/32;
            }
            then {
                source-nat {
                    pool {
                        xbox-pool;
                    }
                }
            }
        }
        rule office-nat {
            match {
                source-address 10.200.20.0/24;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
    rule-set home-to-untrust {
        from zone home;
        to zone untrust;
        rule home-nat {
            match {
                source-address 10.10.50.0/24;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}
destination {
    pool xbox-pool {
        address 99.62.XX.XX/32;
    }
    rule-set xbox-rs {
        from zone untrust;
        rule xbox-88 {
            match {
                destination-address 10.200.20.105/32;
                destination-port 88;
            }
            then {                     
                destination-nat pool xbox-pool;
            }
        }
        rule xbox-3074 {
            match {
                destination-address 10.200.20.105/32;
                destination-port 3074;
            }
            then {
                destination-nat pool xbox-pool;
            }
        }
        rule xbox-53 {
            match {
                destination-address 10.200.20.105/32;
                destination-port 53;
            }
            then {
                destination-nat pool xbox-pool;
            }
        }
    }
}

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: SRX210 and Port Forwarding for XBox and PS3 Help

Would need your topology which includes your IP scheme on each zone of the SRX. But it seems your destination NAT rule may be backwards. It would seem that xbox-pool should be the private IP and each dest-nat rule should have the public IP as the destination-address.

However, if this is correct per your topology then I would suggest running flow traceoptions to get an idea how SRX is handling this traffic. Some flow trace tips are in below links.

 

http://forums.juniper.net/t5/SRX-Services-Gateway/Troubleshooting-flow-SRX/m-p/9210/highlight/true#M...

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16233

 

-Richard

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.