08-08-2011 08:20 AM - edited 03-07-2019 01:35 AM
So I have previously contacted cisco about this issue but I talked to someone who didn't know anything about xbox 360's. I'm hoping there is someone on the board who can help me out.
I work in a gaming company, so most of our staff has xbox360's and they need to use them for testing, and also need to be able to play multiplayer games.
We have been trying to get a new Cisco ASA (version 8.3+) to allow one xbox to have open NAT. Despite allowing the appropriate traffic through,
I could not get a single xbox to say open nat. We played around with it though and it seemed to behave as open as possible. So we decided to test two xboxes.....this is where we ran into problems. We could not get both xboxes to join the same game. Clearly there is something wrong with our set-up.
Currently it looks like this:
object network xbox
subnet 192.168.2.128 255.255.255.128
object network xboxretail
subnet 65.55.42.0 255.255.255.0
access-list outside_in extended permit ip object xboxretail object xbox
object network xbox
nat (inside,outside) static x.x.x.x
I figured by allowing the traffic and not the ports, I would allow it to be more open and have a higher chance of open nat.
So I guess my question is twofold......1. How do I improve upon this to allow for open NAT? 2. How do I allow this for over a hundred company xboxes? Granted, they will never all be in use at once, but when they do multiplayer testing there will obviously be at least 2 people testing at once.
Thanks in advance!
Solved! Go to Solution.
08-09-2011 05:10 AM
Julie
I'm not familiar with Xbox either but we can try
Can you change the config from -
object network xbox
nat (inside,outside) static x.x.x.x
and then select one specific xbox address -eg. 192.168.2.130
object-group network xbox-130
host 192.168.2.130
nat (inside,outside) static x.x.x.x
and then see how it works.
Jon
08-09-2011 05:10 AM
Julie
I'm not familiar with Xbox either but we can try
Can you change the config from -
object network xbox
nat (inside,outside) static x.x.x.x
and then select one specific xbox address -eg. 192.168.2.130
object-group network xbox-130
host 192.168.2.130
nat (inside,outside) static x.x.x.x
and then see how it works.
Jon
08-09-2011 12:23 PM
Thanks Jon, that did allow for Open NAT. By configuring a different object-group for two xboxes and then a different static address for each, I was able to get both xboxes to say Open NAT at the exact same time.
The problem is, this is a huge amount of administrative overhead when you mutiply that work by the number of xboxes that we have. Not to mention the fact that every time we got a new xbox, we would have to give it a static IP address and enter it into the ASA. It can be done of course but I'm wondering if there is a more streamlined way to do this. Like instead of assigning a 1-1 mapping, let it get it's public IP address from a pool. Basically dynamic NAT, right?
08-09-2011 12:31 PM
Julie
I think that was the problem in the first place ie. you were trying to NAT a whole subnet to one IP. But i understand what you want ie. a subnet to subnet mapping.
What is the public IP subnet you are using ie. what subnet is x.x.x.x from ?
I'll have a look at the NAT options - they are all very different from pre 8.3 code so give me a while as i still need to convert it in my head
I just wanted to see if the a 1-1 mapping would actually work for you and it does which is some sort of progress at least.
If worse comes to the worse you could, as you say, enter them one by one. The initial setup is a pain but once setup there should be little to do. If you entered them all in one go then when you have a new xbox you simply choose one of the mappings that is not in use.
But you are right, it would be better if we could get it the way you want.
Jon
08-09-2011 12:49 PM
Jon,
Yes I think that was the problem too. In order to allow for open nat, the IP address AND the ports need to be a static mapping. Using different ports or PAT results in moderate NAT which doesn't allow for all of the multiplayer functions that we need to work.
In the past we have been using no NAT for our xboxes, which is why we have a class C public IP address all to ourselves. That's where the x.x.x.x comes from.
Awesome, thanks for your help! Yes I have more experience with pre 8.3 code, so I'm still figuring it out.
Julie
08-09-2011 01:03 PM
Julie
Okay try this -
object network xbox-public
subnet 65.55.42.128 255.255.255.128
object nework xbox-private
subnet 192.168.2.128 255.255.255.128
nat (inside,outside) dynamic xbox-public
Jon
08-09-2011 01:49 PM
Hmmm I got an error:
ASA5510(config-network-object)# nat (inside,outside) dynamic xbox-public
ERROR: Subnet can not be used as mapped source in dynamic NAT policy.
I did some looking into it and it appears you can use a range. So I played around with it and this is what I came up with based on what I had already configured
object network xbox-public
range x.x.x.229 x.x.x.255
object network xbox-private
range 192.168.2.229 192.1682.255
nat (inside,outside) dynamic xbox-public
This unfortunately resulted in moderate NAT for both xboxes. So do you think this then points to the fact that only a 1:1 static mapping will work?
Julie
08-09-2011 01:59 PM
Julie
This unfortunately resulted in moderate NAT for both xboxes. So do you think this then points to the fact that only a 1:1 static mapping will work?
I suspect this may be the case. I'm not entirely sure why as it should still be a 1-1 mapping as far as i can see why but it does look like you need static mappings so i suspect you might have to setup 1 to 1 mappings for each xbox. Perhaps it just because of the fact that you are still actually using dynamic NAT.
Like i say, it will be a fair bit of work to setup but you could setup all the mappings in one go and then simply allocate one of the unused 192.168.2.x address to any new xboxes.
Jon
08-09-2011 02:05 PM
Jon,
Ok, thanks for all of your help! It really helped clear things up a lot for us.
Thanks again,
Julie
07-30-2012 11:20 AM
Any idea how to do this in IOS? I am either doing something wrong or IOS does not allow subnet or nat commands in the object-group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide