ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 3
Registered: ‎03-28-2011
0 Kudos

Playstation Network and Xbox Live Issues with Nat

Ok, I know different people have asked about setting up Juniper 5sgt for one Xbox or PS3. My question is can the Juniper be set up to make it so any Xbox or Playstation can have access to moderate (type 2) NAT's? We are using the Juniper as a firewall for a large wireless network (through customers on Ubiquiti radios).

 

We have been successful setting up Mip for certain customers, but we would like to just make a policy per customer that allows them to get into Xbox Live and PSN without special setup for each person.

Trusted Contributor
Posts: 279
Registered: ‎07-14-2008

Re: Playstation Network and Xbox Live Issues with Nat

Hi,

 

To get your Xbox360 to say "Open" with the NetScreen, create these 3 services

 

Xbox Live 1:

 

UDP scr port: 0 - 65535 dst port 3074-3074

TCP scr port: 0 - 65535 dst port 3074-3074

TCP scr port: 0 - 65535 dst port 88-88

 

Set the Timeout to Never

 

Xbox Live 2 :

 

UDP scr port: 0 - 65535 dst port 3074-3074

TCP scr port: 0 - 65535 dst port 3074-3074

Set the Timeout to 30 seconds

 

Xbox Live 3 :

 

TCP scr port: 0 - 65535 dst port 88-88

Set the Timeout to 30 seconds

 

GUI Instructions:


Web Management Interface -> Objects -> Services -> Custom -> Click New

 

Fill in the service name ad information as above and click OK.

 

On the Untrust Interface add a VIP service for Xbox Live 2 and Xbox Live 3 and point it to your Xbox's Static Assigned IP address.

 

Web Management page -> Network -> Interfaces -> Click Edit on the Untrust Interface -> Click VIP on the Properties up top -> Click New VIP service

 

Virtual IP:

This should be your external IP address on the 5gt

 

Virtual Port:

This should be the port of Live 2

 

Service:

This should point to Live 2

 

Map to IP:

This should be the static assigned IP of your 360.

 

Server Auto Detect:  

This should be set to False.

Click OK

 

Now repeat for Live 3.

 

N.B. do not do this for Live 1.

 

On the Policies Page add a new policy from Source Any to VIP::1 for the Multiple Services of Xbox Live 1, Xbox Live 2, and Xbox Live 3.

 

Web Management Page -> Policies-> Select From Untrust -> Select To Trust ->Click New->

 

Give it any name you want

 

Select Address book entry Any for source address

Select Address book entry VIP::1 for destination Address

For Service Click Multiple Add Xbox Live 1, 2 & 3

 

Turn on logging if you want it as it may help debugging and ignore Advanced Settings

 

Click OK

 

This should give you Open access

 

You only need 3 Trust to Untrust Policies.

 

Allow any service from any to any and separate ones for IKE and PPTP from Any to Any. Other policies can be directed to VIP::1 but there should be none routed via the VIP to the 360.

 

Good Luck,

 

Gavrilo

Visitor
Posts: 3
Registered: ‎03-28-2011
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

Ok, I follow the procedure, but assigning VIP to specific Xbox only accounts for one xbox on the network to have an Open NAT. Is there way to set up so any user can just log in and have automatic "Open" NAT? For example, If I could create a policy or service that allows any IP that accesses Xbox Live or Playstation Network to be allowed throught the firewall?

Visitor
Posts: 2
Registered: ‎02-23-2011
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

I will have to give this some thought and get back if I think of anything,

 

Gavrilo

Trusted Contributor
Posts: 279
Registered: ‎07-14-2008
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

Hi,

 

I suspect not as you cannot use a MIP and have port translation and Policy NAT-dst, unlike MIPs and VIPs, are not often used for standard inbound NAT scenarios.

 

This is because it is not possible for the NAT IP address to be on the same network as the ingress interface. In other words, it is not possible to translate a public IP address used on your external network to a private address on say, your DMZ network using Policy NAT-dst.

 

Gavrilo

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

I might be a little... dumb... here, but why do you need the XBox Live 1 service defined with the same ports as 2 and 3, when you create a policy with all 3 services in it?

 

TCP/UDP 3074 will be allowed by XBox Live 2.  UDP 88 will be allowed by XBox Live 3.

 

I don't see the need for the XBox Live 1 service.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Trusted Contributor
Posts: 279
Registered: ‎07-14-2008
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

[ Edited ]

 timeouts

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

I still don't see the need...  if you need certain timeouts for the services defined by 2 and 3, why not just set the timeouts appropriately there rather than set those timeouts to one value and then set timeouts for the same services in another service set (1) to a different value?  If you add all 3 services to the policy, which timeouts are being chosen?  It's going to depend on the order in which you add 1, 2, and 3.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Trusted Contributor
Posts: 279
Registered: ‎07-14-2008
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

This was only ever a quick and dirty guide of the steps taken.

 

Sure it can be tidied up!

Visitor
Posts: 3
Registered: ‎03-28-2011
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

Ok, so as far as a policy that allows any ip through the network to get in and have open nat, looks like a no. Isit better to purchase a different Juniper Router for our network that has ALG incorporated so that it can simply pass through traffic it recognizes as Xbox Live or PSN?

Contributor
Posts: 34
Registered: ‎02-19-2009
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

From what I have experienced, you can only get "open nat" using a device that supports UPNP.  As far as I know, none of the devices Juniper has support UPNP.

 

The route we took was to put all the clients that need to use xbox live, and psn into a network with real IP addresses, and allow all traffic out, and only the xbox/psn ports in.

 

Originally we were going to allow specific games through the FW, and hoped that doing that would limit the exposure, but it is next to impossible for you to do this.  Pages such as www.portforward.com are simply wrong on 99% of the PSN games.  Something like Madden 11 required random udp ports in the 40k to 64k range - to anywhere on the Internet. 

 

Trying to firewall that is basically useless and created so much work for us, and frustration for the end users that we just allowed evrything out, and only the necessary PSN/XBOX live ports back in.

 

The XBOX live stuff is a bit better and sticks a little more closely to what they say they need open for most games, but even that is not 100% exact.  Now add the Nintendo DS, Wii and other stuff and you have hte biggest hodgepodge of custom services you've ever seen.

 

I realize that this is a far from perfect solution.  You could try to create a policy that uses a DIP in case someone triggers a certain service, but I think even that is too erradic to really use as a permanent solution.

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

An important thing to remember is that these firewalls were designed for enterprise networks.

 

Online gaming doesn't really fit into the "enterprise network" model.

 

UPNP, in my opinion, is one of the worst ideas of recent time.  Let's take a device whose purpose is to lock down and secure/protect a network (a firewall), and create a protocol that lets devices control what ports the firewall allows traffic on -- with no authentication or authorization.

 

Yes, it makes things easy for the home users who don't understand firewalls, but what happens when someone gets a virus on their computer that wants to connect to a botnet or become a zombie?  With UPNP, a semi-intelligent virus writer can just use UPNP to open the firewall ports and then allow the infected computer to connect to the botnet or zombie control network.  Great idea, security folks.

 

We've struggled with these same issues as we are a university -- securing an enterprise network while still providing a useful service to our residents who live here and use our network for personal as well as academic work.  We solved this issue by separating traffic out of the residence halls into an entirely separate public IP space and did away with NAT.  We route the separate IP space outside of our campus firewalls, so in effect we are an external ISP.  When access from that net block needs to come into our campus network, it has to pass through our campus border firewalls just like any other untrusted / outside traffic.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Highlighted
Regular Visitor
Posts: 8
Registered: ‎04-10-2008
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

Hi,

as the discussion is moving on a general Juniper Firewall and UPNP or something similar, i wanted to write here my opinion.

 

Ok, there is a KB where Juniper say that UPNP is for residential market, not for professional.

 

But in the SRX at least we can configure the persistent Nat (formerly cone Nat) which is the ability to connect to the post-Nat-IP (i.e.: the reflexive transport address).

 

So maybe this is the solution. In fact using persistent-Nat with any-remote-host option is and equivalent of full-cone Nat or in other words open Nat / on-demand Nat.

 

My two cents.

 

 

Philippe

JNCI, JNCIP-SEC, JNCIS-ENT, JNCIS-FWV

Philippe
--------------------------
>>>What you know can't hurt you...
JNCI, JNCIPSmiley FrustratedEC, ENT, JNCIS:FWV
Contributor
Posts: 34
Registered: ‎02-19-2009
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

Chiming in late, but the only way I have found this to work reliably, is to give users internet routable IP addresses.  You are correct in stating that the only way to get "open nat" is to have a upnp device sit between the gaming device and the internet, and that is simply not possible as mentioned before.

 

If you only have one console to work with it is not that big of a deal, but if you have a network full of them, this is simply not doable with nat (at least in my opinion - we have about 400 of these on our network).

Visitor
Posts: 5
Registered: ‎10-24-2008
0 Kudos

Re: Playstation Network and Xbox Live Issues with Nat

Hi there- So what solution do you use, we too have a campus network full of consoles....we are thinking of creating a NAT pool of about 100 public IPs to help with the issue. Not sure if this is the best way to do it or now.