Thanks Jon, that did allow for Open NAT. By configuring a different object-group for two xboxes and then a different static address for each, I was able to get both xboxes to say Open NAT at the exact same time.

The problem is, this is a huge amount of administrative overhead when you mutiply that work by the number of xboxes that we have. Not to mention the fact that every time we got a new xbox, we would have to give it a static IP address and enter it into the ASA. It can be done of course but I'm wondering if there is a more streamlined way to do this. Like instead of assigning a 1-1 mapping, let it get it's public IP address from a pool. Basically dynamic NAT, right?

Julie

I think that was the problem in the first place ie. you were trying to NAT a whole subnet to one IP.  But i understand what you want ie. a subnet to subnet mapping.

What is the public IP subnet you are using ie. what subnet is x.x.x.x from ?

I'll have a look at the NAT options - they are all very different from pre 8.3 code so give me a while as i still need to convert it in my head

I just wanted to see if the a 1-1 mapping would actually work for you and it does which is some sort of progress at least.

If worse comes to the worse you could, as you say, enter them one by one. The initial setup is a pain but once setup there should be little to do. If you entered them all in one go then when you have a new xbox you simply choose one of the mappings that is not in use.

But you are right, it would be better if we could get it the way you want.

Jon

Jon,

Yes I think that was the problem too. In order to allow for open nat, the IP address AND the ports need to be a static mapping. Using different ports or PAT results in moderate NAT which doesn't allow for all of the multiplayer functions that we need to work.

In the past we have been using no NAT for our xboxes, which is why we have a class C public IP address all to ourselves. That's where the x.x.x.x comes from.

Awesome, thanks for your help! Yes I have more experience with pre 8.3 code, so I'm still figuring it out.

Julie

Julie

Okay try this -

object network xbox-public

subnet 65.55.42.128 255.255.255.128

object nework xbox-private

subnet 192.168.2.128 255.255.255.128

nat (inside,outside) dynamic xbox-public

Jon

Hmmm I got an error:

ASA5510(config-network-object)#  nat (inside,outside) dynamic xbox-public

ERROR: Subnet can not be used as mapped source in dynamic NAT policy.

I did some looking into it and it appears you can use a range. So I played around with it and this is what I came up with based on what I had already configured

object network xbox-public

range x.x.x.229 x.x.x.255

object network xbox-private

range 192.168.2.229 192.1682.255

nat (inside,outside) dynamic xbox-public

This unfortunately resulted in moderate NAT for both xboxes. So do you think this then points to the fact that only a 1:1 static mapping will work?

Julie

Julie

This unfortunately resulted in moderate NAT for both xboxes. So do you think this then points to the fact that only a 1:1 static mapping will work?

I suspect this may be the case. I'm not entirely sure why as it should still be a 1-1 mapping as far as i can see why but it does look like you need static mappings so i suspect you might have to setup 1 to 1 mappings for each xbox. Perhaps it just because of the fact that you are still actually using dynamic NAT.

Like i say, it will be a fair bit of work to setup but you could setup all the mappings in one go and then simply allocate one of the unused 192.168.2.x address to any new xboxes.

Jon

Jon,

Ok, thanks for all of your help! It really helped clear things up a lot for us.

Thanks again,

Julie