cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3793
Views
5
Helpful
11
Replies

Strict NAT

michal.dudzak
Level 1
Level 1

Hello everybody,

 

i have run in to issue which i can not solve or have any idea how to solve it.

 

Private network (not a company, not a bussiness) - using Cisco router 2801 with zone based firewall without DMZ.

Ordinary users playing games and doing usual stuff. They are playing game named Warframe and every time they start a game warning message appear: 

 

Strict NAT detected. No UPnP or NAT-PMP detected. Please forward UDP ports 4960 & 4965 to 10.10.1.100 (host ip)

it is causing problems also on steam for local games etc...

 

So i have added this to NAT configuration (which i have learned from internet after few hours of browsing for solution)

 

ip nat inside destination list GAME_OPEN_PORTS pool RANGE

 

ip access-list extended GAME_OPEN_PORTS
permit udp any any range 27000 27099                    
permit udp any any range 4950 4990
permit tcp any any range 6000 7000
permit udp any any range 61090 61154

 

where i was trying to open port for steam, warframe, and other games which they are playing but this did not help.

I have learned that enabling UPnP should do the trick but i found no such thing on Cisco 2801

do anybody have idea how to solve that?

11 Replies 11

Hello,

 

I don't think IOS routers support UPnP and Nat-PMP.

 

Try to add static NAT mappings as below (x.x.x.x is the local address, y.y.y.y your public IP address):

 

ip nat inside source static udp x.x.x.x 4960 y.y.y.y 4960
ip nat inside source static udp x.x.x.x 4960 y.y.y.y 4965

so iam going to need this mapping for every dhcp client? that would be tedious and require additional care every time when new client is added i would rather avoid that

I have tried this as you suggested

 

ip nat inside source static udp 10.10.1.100 4960 interface FastEthernet0/1 4960
ip nat inside source static udp 10.10.1.100 4965 interface FastEthernet0/1 4965

 

but message is still there...

 

is it possible to configure something like this in IOS?:

 

open NAT, any machine on the internet can send traffic to your router's port 21283, and the packet will be sent back to you

 

Your computer        Router            
+------------+     +-----------+     {www.google.com:80
|            |     |           |     {www.google.com:443
| port 31746 o<====o port 21283o<===={serverfault.com:80
|            |     |           |     {fbi.gov:32188
+------------+     +-----------+     {botnet.cn:11288

 

Georg

 

iam not sure if that is solution but message about strict nat dissapeared after i did this:

 

netstat -abo based on netstat print i found which ports warframe is using -  fixed game source udp ports are 4960 4965, than random to destination tcp port from range 6695-6699, than random to destination ports 80 and 443. I have realized that game contain own browser within  which is used for microtransactions. Than i have added statements to GAME_OPEN_PORTS acl like this:

 

ip access-list extended GAME_OPEN_PORTS
permit udp any any range 27000 27099
permit udp any any range 4950 4995
permit tcp any any range 6695 6699
permit udp any any range 61090 61154
permit tcp any any eq 80
permit tcp any any eq 443

 

with NAT configuration:

ip nat pool RANGE 10.10.0.0 10.10.15.255 netmask 255.255.240.0 type rotary
ip nat inside source list NAT interface FastEthernet0/1 overload
ip nat inside destination list GAME_OPEN_PORTS pool RANGE

 

and puff strict NAT message is no longer appearing on the start, who would have thought about that...

 

 

Hello

Without seeing what is already applied to the router regards your ZBFW configuration its hard to troubleshoot, do you also know what protocols and port numbers are required to be allowed through the fw for this gaming application?

Can you post the configuration of the rtr please.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

hello

 

i forgot to mention that port numbers used for that game are udp 4950 - 4995, tcp port range 6695 - 6699 which i have tried to include in my acl statements   

Hello,

 

in your original post, the UDP ports that were blocked were 4960 and 4965. For these to work with the ZBF, try the config below. If you need additional ports, add those to the access list and add additional static NAT statements:

 

class-map type inspect match-any UPNP_NATPMP_CLASS
match access-group name UPNP_NATPMP_ACL
!
ip access-list extended UPNP_NATPMP_ACL
permit udp any any eq 4960
permit udp any eq 4960 any
permit udp any any eq 4965
permit udp any eq 4965 any

!

policy-map type inspect ccp-inspect
class type inspect UPNP_NATPMP_CLASS
pass

!

policy-map type inspect ccp-pol-outToIn
class type inspect UPNP_NATPMP_CLASS
pass

!

ip nat inside source static udp x.x.x.x 4960 y.y.y.y 4960
ip nat inside source static udp x.x.x.x 4960 y.y.y.y 4965

iam going to test also this configuration you suggested, one small thing on that regarding nat mapping, iam going to need port ranges udp 4950-4995, tcp 6695-6699 and probably 80 and 443(please read my latest previous reply) ...is it possible to include it to your suggestion? 

evlaa1990
Level 1
Level 1

As @Georg Pauwen has said I think you need static NAT configurations for this to works. I'd imagine some changes to your ZBPF will be required as well. Can you advise what 10.10.1.100 is? is that one of the users playing the Game's IP or some remote gaming server? 

michal.dudzak
Level 1
Level 1

hey, here is config guys, public ip has been replaced with private 192.168.3.X and and passwords are removed.

Here is quick sketch of that network

 

 

Review Cisco Networking for a $25 gift card