Configuration Library
Configuration Library

Configuration Example - SRX NAT config for XBOX 360 to get around strict NAT

[ Edited ]
‎10-18-2010 06:02 AM

SRX 210 version 10.1r1

 

Network Topology:

   internet  ---  SSG5  ---  SRX210  ---  XBOX  (tested double NAT)

or

   internet  ---  SRX210  ---  XBOX

 

 

This example will allow the XBOX 360 to come up as open NAT without using a static NAT.  A static NAT will map every port to the XBOX rather than the three ports it needs.  This config will allow other NAT devices through the SRX simultaneously and functions like a VIP in ScreenOS.

 

The problem with the XBOX 360 and SRX is not the Destination NAT part of the config, it's the source NAT of the XBOX out to the internet.   Simply using the SRX interface NAT is not good enough because the SRX will do port translation.  The key to the config is the source NAT without port translation and mapping that to the single public IP your ISP gives you.

 

nat {
        source {
            pool xbox_src_pool {
                address {
                    172.23.1.6/32 to 172.23.1.7/32;
                }
                port no-translation;
            }
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule xbox_out {
                    match {
                        source-address 172.23.2.80/32;
                    }
                    then {
                        source-nat {
                            pool {
                                xbox_src_pool;
                            }
                        }
                    }
                }

 

 

I originally posted this here:

http://forums.juniper.net/t5/SRX-Services-Gateway/xbox-360/m-p/57528#M6624

 

Attached is the full SRX config.

Note, i turned off some ALGs

 

 

==============  added event script to automatically change the pool ip based on DHCP ============= 

 

It took me a while but here is the event script that monitors an interface and compares the IP with the IP used in the src-nat pool.  The script automatically adds the "to ip" range if one was used previously.  It only adds a pool range of 2 IPs, so the ip you got plus 1

 

There are two arguments that need to be passed to the script.  One is the logical interface ID (ie  ge-0/0/0.0) and the other is the name of the source pool.  It only works with family inet address right now.  You can change the two parameters to match your SRX config.  I used a 5 minute timer but you can change that if you want, just change the interval from 300 (seconds) to any permitted value.

 

Paste in the event-options commands below and copy the SLAX script file to the "/var/db/scripts/event" directory on the SRX.  I use WinSCP to copy the files but you can also use an FTP server if you want.

 

 

Config Commands:
 set event-options generate-event 5-min-timer time-interval 300
 set event-options policy match-src-pool-to-interface events 5-min-timer
 set event-options policy match-src-pool-to-interface then event-script match-src-pool-to-interface.slax arguments interface ge-0/0/0.0
 set event-options policy match-src-pool-to-interface then event-script match-src-pool-to-interface.slax arguments src-pool-name xbox_src_pool
 set event-options event-script file match-src-pool-to-interface.slax


you can see the script running with the op mode command:  "show log escript.log"

 

Output No Change:
 Oct 30 23:18:56 event script processing begins
 Oct 30 23:18:56 reading event details
 Oct 30 23:18:56 testing event details
 Oct 30 23:18:56 running event script 'match-src-pool-to-interface.slax'
 Oct 30 23:18:56 opening event script '/var/db/scripts/event/match-src-pool-to-interface.slax'
 Oct 30 23:18:56 reading event script 'match-src-pool-to-interface.slax'
 Oct 30 23:19:02 event script output
 Oct 30 23:19:03 begin dump
 <?xml version="1.0"?>
 ********** Pool Matches interface IP **********
 Oct 30 23:19:03 end dump
 Oct 30 23:19:03 inspecting event output 'match-src-pool-to-interface.slax'
 Oct 30 23:19:03 finished event script 'match-src-pool-to-interface.slax'
 Oct 30 23:19:03 event script processing ends

 

Output With a Change:
 Oct 30 23:24:56 event script processing begins
 Oct 30 23:24:56 reading event details
 Oct 30 23:24:56 testing event details
 Oct 30 23:24:56 running event script 'match-src-pool-to-interface.slax'
 Oct 30 23:24:56 opening event script '/var/db/scripts/event/match-src-pool-to-interface.slax'
 Oct 30 23:24:56 reading event script 'match-src-pool-to-interface.slax'
 Oct 30 23:21:21 event script output
 Oct 30 23:21:21 begin dump
 <?xml version="1.0"?>
 ********** Replacing pool: *xbox_src_pool* IP: *172.23.1.124* with my IP: *172.23.1.6* **********
 Oct 30 23:21:21 end dump
 Oct 30 23:21:21 inspecting event output 'match-src-pool-to-interface.slax'
 Oct 30 23:21:21 finished event script 'match-src-pool-to-interface.slax'
 Oct 30 23:21:21 event script processing ends

 

Thanks,

Attachments

3 REPLIES 3
Configuration Library

Re: Configuration Example - SRX NAT config for XBOX 360 to get around strict NAT

‎10-18-2010 10:42 AM

Is this for the config contest? That's over here

Configuration Library

Re: Configuration Example - SRX NAT config for XBOX 360 to get around strict NAT

‎01-02-2014 12:06 PM

Two years later .........

 

Your script only automagically changes the source Pool.   How about the destination pool?

Highlighted
Configuration Library

Re: Configuration Example - SRX NAT config for XBOX 360 to get around strict NAT

‎01-02-2014 12:40 PM

I'm attempting to work thru this myself.

 

I've normalized the config file so it's a little easier to update:

 

I made global addressbook entries, and replace them where I could.  (I did the Internal address for consistancy as well)

 

The only places you have to look now is the two address book entries, the Source Pool, and the Destination Pool. (I couldn't figure out how to use address books there.

 

Now the really hard part, as I've never written a SLAX script.

 

security {
    address-book {
        global {
            address XBOX-External 4.4.4.4/32;
            address XBOX-Internal 192.168.1.2/32;
        }
    }
    nat {
        source {
            pool xbox_src_pool {
                address {
                    4.4.4.4/32 to 4.4.4.5/32;
                }
                port no-translation;
            }
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule xbox_out {
                    match {
                        source-address-name XBOX-Internal;
                    }
                    then {
                        source-nat {
                            pool {
                                xbox_src_pool;
                            }
                        }
                    }
                }
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool XBOX-pool {
                address 192.168.1.2/32;
            }
            rule-set XBOX-rs {
                from zone untrust;
                rule XBOX-1 {
                    match {
                        destination-address-name XBOX-External;
                        destination-port 88;
                    }
                    then {
                        destination-nat pool XBOX-pool;
                    }
                }
                rule XBOX-2 {
                    match {
                        destination-address-name XBOX-External;
                        destination-port 3074;
                    }
                    then {
                        destination-nat pool XBOX-pool;
                    }
                }
                rule XBOX-3 {
                    match {
                        destination-address-name XBOX-External;
                        destination-port 53;
                    }
                    then {
                        destination-nat pool XBOX-pool;
                    }
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy XBOX {
                match {
                    source-address any;
                    destination-address XBOX-Internal;
                    application XBOX-ports;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
    }