Yes. I had to set up applications for each of the XBL ports and forward them to my SRX 210 @ home, with source nat egress interface (I only have 1 IP). Then I think I had to set up a static nat. Couldn't get destination to work, since I think ports that the Xbox used for source nat and what came in through destination nat were different, so tests always failed. I can post my config when I get off work.
Very cool, yeah here is my shot at destination nat...
I saw on the SSG forums that they were thinking communication was initiated on port 3074 and that with a multi-service VIP worked, I therefore went overboard on dest nat but put in all the ports with 3074.
I would like to say though... This NATs everything from your external IP to your 360, one to one of course. If you have other services behind your firewall then they won't work I don't suspect unless... Destination NAT occurs before static nat? Anyways, still don't see why the destination NAT doesn't work, but this solution fixes what I need since I don't host anything.
The only way I have got this to work is the static NAT as well, my problem is that I do not have a static IP on the untrust side. This means that every time I get a new IP I have to change my config. This works but is very annoying. I can not figure out how to get it working with a dynamic address as Static requires a full IP to work.
I had my xbox behind an ssg5 and moved it behind an srx 210 to test this. the 210 is also behind the ssg5. so it goes:
internet -- ssg5 -- srx 210 -- xbox.
the ssg5 is doing the same VIP it was always doing to the xbox. the 210 has the old xbox IP and is now doing src / dst nat to the xbox which I moved behind the srx 210.
The problem is not the Dst NAT inbound… it’s the Src NAT outbound. The SRX is port translating outbound and throwing off the xbox server. I realize that my SSG-5 never had this problem and a simple VIP worked fine, but this is how I got it to work on my SRX-210 WITHOUT static NAT.
The trick is to use the “no-translate” option on a source pool for your xbox. You need a source pool and not the source interface NAT to be able to use the no-translate option, but no worries, just use the same public IP in the source pool. SRX will require at least two IPs for the pool because of the no-translate, again, no worries just use the next IP. Yes, next public IP. The next IP won’t ever get used, the xbox is the only thing using this pool. If you have problems with your public IP switching all the time, then maybe a script is in your future. I have not gotten that far yet.
172.23.1.6 = the public IP
172.23.2.80 -= the xbox private IP
The policy is the same as in the thread above, allow xbox ports to the xbox private ip