Re: Strict NAT

michal.dudzak · ‎09-25-2018

Hello everybody,

i have run in to issue which i can not solve or have any idea how to solve it.

Private network (not a company, not a bussiness) - using Cisco router 2801 with zone based firewall without DMZ.

Ordinary users playing games and doing usual stuff. They are playing game named Warframe and every time they start a game warning message appear:

Strict NAT detected. No UPnP or NAT-PMP detected. Please forward UDP ports 4960 & 4965 to 10.10.1.100 (host ip)

it is causing problems also on steam for local games etc...

So i have added this to NAT configuration (which i have learned from internet after few hours of browsing for solution)

ip nat inside destination list GAME_OPEN_PORTS pool RANGE

ip access-list extended GAME_OPEN_PORTS
permit udp any any range 27000 27099
permit udp any any range 4950 4990
permit tcp any any range 6000 7000
permit udp any any range 61090 61154

where i was trying to open port for steam, warframe, and other games which they are playing but this did not help.

I have learned that enabling UPnP should do the trick but i found no such thing on Cisco 2801

do anybody have idea how to solve that?

Georg Pauwen · ‎09-25-2018

Hello,

I don't think IOS routers support UPnP and Nat-PMP.

Try to add static NAT mappings as below (x.x.x.x is the local address, y.y.y.y your public IP address):

ip nat inside source static udp x.x.x.x 4960 y.y.y.y 4960
ip nat inside source static udp x.x.x.x 4960 y.y.y.y 4965

michal.dudzak · ‎09-25-2018

so iam going to need this mapping for every dhcp client? that would be tedious and require additional care every time when new client is added i would rather avoid that

michal.dudzak · ‎09-26-2018

I have tried this as you suggested

ip nat inside source static udp 10.10.1.100 4960 interface FastEthernet0/1 4960
ip nat inside source static udp 10.10.1.100 4965 interface FastEthernet0/1 4965

but message is still there...

is it possible to configure something like this in IOS?:

open NAT, any machine on the internet can send traffic to your router's port 21283, and the packet will be sent back to you

Your computer        Router            
+------------+     +-----------+     {www.google.com:80
|            |     |           |     {www.google.com:443
| port 31746 o<====o port 21283o<===={serverfault.com:80
|            |     |           |     {fbi.gov:32188
+------------+     +-----------+     {botnet.cn:11288

michal.dudzak · ‎09-26-2018

Georg

iam not sure if that is solution but message about strict nat dissapeared after i did this:

netstat -abo based on netstat print i found which ports warframe is using - fixed game source udp ports are 4960 4965, than random to destination tcp port from range 6695-6699, than random to destination ports 80 and 443. I have realized that game contain own browser within which is used for microtransactions. Than i have added statements to GAME_OPEN_PORTS acl like this:

ip access-list extended GAME_OPEN_PORTS
permit udp any any range 27000 27099
permit udp any any range 4950 4995
permit tcp any any range 6695 6699
permit udp any any range 61090 61154
permit tcp any any eq 80
permit tcp any any eq 443

with NAT configuration:

ip nat pool RANGE 10.10.0.0 10.10.15.255 netmask 255.255.240.0 type rotary
ip nat inside source list NAT interface FastEthernet0/1 overload
ip nat inside destination list GAME_OPEN_PORTS pool RANGE

and puff strict NAT message is no longer appearing on the start, who would have thought about that...

paul driver · ‎09-25-2018

Hello

Without seeing what is already applied to the router regards your ZBFW configuration its hard to troubleshoot, do you also know what protocols and port numbers are required to be allowed through the fw for this gaming application?

Can you post the configuration of the rtr please.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

michal.dudzak · ‎09-26-2018

hello

i forgot to mention that port numbers used for that game are udp 4950 - 4995, tcp port range 6695 - 6699 which i have tried to include in my acl statements

Georg Pauwen · ‎09-26-2018

Hello,

in your original post, the UDP ports that were blocked were 4960 and 4965. For these to work with the ZBF, try the config below. If you need additional ports, add those to the access list and add additional static NAT statements:

class-map type inspect match-any UPNP_NATPMP_CLASS
match access-group name UPNP_NATPMP_ACL
!
ip access-list extended UPNP_NATPMP_ACL
permit udp any any eq 4960
permit udp any eq 4960 any
permit udp any any eq 4965
permit udp any eq 4965 any

!

policy-map type inspect ccp-inspect
class type inspect UPNP_NATPMP_CLASS
pass

!

policy-map type inspect ccp-pol-outToIn
class type inspect UPNP_NATPMP_CLASS
pass

!

ip nat inside source static udp x.x.x.x 4960 y.y.y.y 4960
ip nat inside source static udp x.x.x.x 4960 y.y.y.y 4965

michal.dudzak · ‎09-26-2018

iam going to test also this configuration you suggested, one small thing on that regarding nat mapping, iam going to need port ranges udp 4950-4995, tcp 6695-6699 and probably 80 and 443(please read my latest previous reply) ...is it possible to include it to your suggestion?

evlaa1990 · ‎09-25-2018

As @Georg Pauwen has said I think you need static NAT configurations for this to works. I'd imagine some changes to your ZBPF will be required as well. Can you advise what 10.10.1.100 is? is that one of the users playing the Game's IP or some remote gaming server?

michal.dudzak · ‎09-25-2018

hey, here is config guys, public ip has been replaced with private 192.168.3.X and and passwords are removed.

michal.dudzak · ‎09-25-2018

Here is quick sketch of that network