SRX Services Gateway
SRX Services Gateway

xbox 360

‎05-18-2010 08:14 PM
Anyone got a destination Nat example to get around lives strict Nat assessment?
8 REPLIES 8
SRX Services Gateway

Re: xbox 360

[ Edited ]
‎05-19-2010 07:16 AM

Yes. I had to set up applications for each of the XBL ports and forward them to my SRX 210 @ home, with source nat egress interface (I only have 1 IP). Then I think I had to set up a static nat. Couldn't get destination to work, since I think ports that the Xbox used for source nat and what came in through destination nat were different, so tests always failed. I can post my config when I get off work.

SRX Services Gateway

Re: xbox 360

[ Edited ]
‎05-19-2010 09:20 AM

Very cool, yeah here is my shot at destination nat...

 

no Workie...

 

I saw on the SSG forums that they were thinking communication was initiated on port 3074 and that with a multi-service VIP worked, I therefore went overboard on dest nat but put in all the ports with 3074.

 

security {
    nat {
        destination {
            pool xbox {
                address 192.168.1.XX/32;
            }
            rule-set EXTERNAL_NAT {
                from zone untrust;
                rule 80 {
                    match {
                        destination-address X.X.X.X/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool xbox;
                    }
                }
                rule 88 {
                    match {
                        destination-address X.X.X.X/32;;
                        destination-port 88;
                    }
                    then {
                        destination-nat pool xbox;
                    }
                }
                rule 3074 {
                    match {
                        destination-address X.X.X.X/32;
                        destination-port 3074;
                    }
                    then {
                        destination-nat pool xbox;
                    }
                }
                rule 53 {
                    match {
                        destination-address X.X.X.X/32;
                        destination-port 53;
                    }
                    then {
                        destination-nat pool xbox;
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            address-book {
                address XBOX 192.168.1.XX/32;
            }
            host-inbound-traffic {
                system-services {
                    any-service;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            https;
                            ike;
                            dhcp;
                        }
                    }
                }
            }
        }
    }              
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy XBOX {
                match {
                    source-address any;
                    destination-address XBOX;
                    application tcp_udp_360;
                }
                then {
                    permit;
                }
            }
        }
    }
}
applications {
    application tcp_80_360 {
        protocol tcp;
        destination-port 80;
    }
    application udp_88_360 {
        protocol udp;
        destination-port 88;
    }
    application tcp_3074_360 {
        protocol tcp;
        destination-port 3074;
    }
    application udp_3074_360 {
        protocol udp;
        destination-port 3074;
    }
    application tcp_53_360 {
        protocol tcp;
        destination-port 53;
    }
    application udp_53_360 {
        protocol udp;
        destination-port 53;
    }
    application-set tcp_udp_360 {
        application tcp_80_360;
        application udp_88_360;
        application tcp_3074_360;
        application udp_3074_360;
        application tcp_53_360;
        application udp_53_360;
    }
}
vlans {
    default {
        l3-interface vlan.0;
    }
}

 

 

SRX Services Gateway
Solution
Accepted by topic author colemtb
‎08-26-2015 01:27 AM

Re: xbox 360

[ Edited ]
‎05-19-2010 08:01 PM

Here are relevant portions of my config. Under static nat, I've X'd out my IP address for obvious reasons. My Xbox also has the IP of 192.168.1.4.

 

source {
    rule-set home-nat {
        from zone trust;
        to zone untrust;
        rule xlate-all {
            match {
                source-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}
static {
    rule-set xbox-nat {
        from zone untrust;
        rule xlate-xbox {
            match {
                destination-address X.X.X.X/32;
            }
            then {
                static-nat prefix 192.168.1.4/32;
            }
        }
    }
}
from-zone untrust to-zone trust {
    policy allow-home-xbox {
        match {
            source-address any;
            destination-address any;
            application home-xbox;
        }
        then {
            permit {
                destination-address {
                    drop-untranslated;
                }
            }
        }
    }
    policy deny-all {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
            log {
                session-init;
            }
        }
    }
}
application home-xbox-88-udp {
    protocol tcp;
    destination-port 88;
}
application home-xbox-3074-tcp {
    protocol tcp;
    destination-port 3074;
}
application home-xbox-3074-udp {
    protocol udp;
    destination-port 3074;
}
application-set home-xbox {
    application home-xbox-3074-tcp;
    application home-xbox-3074-udp;
    application home-xbox-88-udp;
}

SRX Services Gateway

Re: xbox 360

[ Edited ]
‎05-20-2010 07:57 AM

Hawt, worked!

 

I would like to say though...  This NATs everything from your external IP to your 360, one to one of course.  If you have other services behind your firewall then they won't work I don't suspect unless...  Destination NAT occurs before static nat?  Anyways, still don't see why the destination NAT doesn't work, but this solution fixes what I need since I don't host anything.

 

Thanks again!

SRX Services Gateway

Re: xbox 360

‎06-18-2010 12:54 PM

The only way I have got this to work is the static NAT as well, my problem is that I do not have a static IP on the untrust side. This means that every time I get a new IP I have to change my config. This works but is very annoying. I can not figure out how to get it working with a dynamic address as Static requires a full IP to work.

 

Any ideas?

SRX Services Gateway

Re: xbox 360

‎10-15-2010 04:09 PM

I had my xbox behind an ssg5 and moved it behind an srx 210 to test this.  the 210 is also behind the ssg5.  so it goes:   

 

 internet -- ssg5 --  srx 210 -- xbox.   

 

the ssg5 is doing the same VIP it was always doing to the xbox.  the 210 has the old xbox IP and is now doing src / dst nat to the xbox which I moved behind the srx 210.

 

The problem is not the Dst NAT inbound…  it’s the Src NAT outbound.  The SRX is port translating outbound and throwing off the xbox server.  I realize that my SSG-5 never had this problem and a simple VIP worked fine, but this is how I got it to work on my SRX-210 WITHOUT static NAT.

 

The trick is to use the “no-translate” option on a source pool for your xbox.  You need a source pool and not the source interface NAT to be able to use the no-translate option, but no worries, just use the same public IP in the source pool.  SRX will require at least two IPs for the pool because of the no-translate, again, no worries just use the next IP.  Yes, next public IP.  The next IP won’t ever get used, the xbox is the only thing using this pool.  If you have problems with your public IP switching all the time, then maybe a script is in your future.  I have not gotten that far yet.

 

Try this:

                172.23.1.6 = the public IP

                172.23.2.80 -= the xbox private IP

                The policy is the same as in the thread above, allow xbox ports to the xbox private ip

 

[edit]

admin# show security nat

source {

    pool xbox_src_pool {

        address {

            172.23.1.6/32 to 172.23.1.7/32;

        }

        port no-translation;

    }

    rule-set trust-to-untrust {

        from zone trust;

        to zone untrust;

        rule xbox_out {

            match {

                source-address 172.23.2.80/32;

            }

            then {

                source-nat {

                    pool {

                        xbox_src_pool;

                    }

                }

            }

        }

        rule source-nat-rule {

            match {

                source-address 0.0.0.0/0;

            }

            then {

                source-nat {

                    interface;

                }

            }

        }

    }

}

destination {

    pool XBOX-pool {

        address 172.23.2.80/32;

    }

    rule-set XBOX-rs {

        from zone untrust;

        rule XBOX-1 {

            match {

                destination-address 172.23.1.6/32;

                destination-port 88;

            }

            then {

                destination-nat pool XBOX-pool;

            }

        }

        rule XBOX-2 {

            match {

                destination-address 172.23.1.6/32;

                destination-port 3074;

            }

            then {

                destination-nat pool XBOX-pool;

            }

        }

        rule XBOX-3 {

            match {

                destination-address 172.23.1.6/32;

                destination-port 53;

            }

            then {

                destination-nat pool XBOX-pool;

            }

        }

    }

}

[edit]

 

 

I hope this helps!

-Jason

Highlighted
SRX Services Gateway

Re: xbox 360

‎10-15-2010 08:30 PM

This thread is a good candidate for our Configuration Contest:

 

http://forums.juniper.net/t5/J-Net-News/J-Net-Contest-Submit-your-Configuration-s-for-a-chance-to-wi...

 

 

SRX Services Gateway

Re: xbox 360

‎11-11-2011 04:48 PM

This is a nice post. Is it possible to configure the SRX 210 with dual XBOX's?  I like the idea of using the SSG in front of the SRX will try that.

 

Thanks

 

Del Johnston