XBox 360 open NAT setup Juniper Netscreen / SSG

Sanga CollinsSystems Admin
CERTIFIED EXPERT
Published:
Updated:
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment.
natwarning.jpg
These instructions are based on ScreenOS 6.2, but are easily adaptable to devices running versions 5.4 and above.

Setting up requires you to setup custom services, and then create VIP service entries. You can do that via WebUI or CLI (Command Line Interface - Telnet or SSH).

Using WebUI:
1]  Create the custom services
     Go To: Policy > Policy Elements > Services > Custom. Create the following three services

Xbox Live 1 -
    UDP scr port: 0 – 65535 dst port 3074-3074
    TCP scr port: 0 – 65535 dst port 3074-3074
    UDP scr port: 0 – 65535 dst port 88-88
    Timeout Never

Xbox Live 2 -
    UDP scr port: 0 – 65535 dst port 3074-3074
    TCP scr port: 0 – 65535 dst port 3074-3074
    Timeout 30

Xbox Live 3 -
    UDP scr port: 0 – 65535 dst port 88-88
    timeout 30
custom services
2]  On the Untrust Interface create a VIP and then add the services for Xbox Live 2 and Xbox Live 3 pointing to the Xbox’s Static IP address.
     Go To: Network > Interfaces > Edit > VIP/VIP Services > New VIP service

Virtual IP: Untrust IP address
Virtual Port: 3074
Map to Service: Xbox Live 2 (3074)
Map to IP: <Xbox-ip>
Server Auto: False
Click OK
  Repeat for 'Xbox Live 3'
Vip/Vip ServiceNote that you do not do this for Live 1, since all services are already covered by the other two definitions.

3]  Create Security Policy
     Go To: Policy > Policies (From Untrust To Trust) & create a New Policy with the following settings

Name: Xbox_OpenNAT
Source Address: Any
Destination Address: VIP(untrust)
Service XBOX Live 1
Action: Permit
Logging: True
Policy
4]  Enable multiple virtual port creation
     From the console run the following command. You can get to the console by telnet to the trust interface ip or using a console cable.
set vip multi-port 
                      save
                      restart

Open in new window


From the Command Line:
set service "XBOX Live 3" protocol udp src-port 0-65535 dst-port 88-88 timeout 30 
                      set service "XBOX Live 2" protocol udp src-port 0-65535 dst-port 3074-3074 
                      set service "XBOX Live 2" + tcp src-port 0-65535 dst-port 3074-3074 
                      set service "XBOX Live 2" timeout 30
                      set service "XBOX Live 1" protocol udp src-port 0-65535 dst-port 3074-3074 
                      set service "XBOX Live 1" + tcp src-port 0-65535 dst-port 3074-3074 
                      set service "XBOX Live 1" + udp src-port 0-65535 dst-port 88-88 
                      set service "XBOX Live 1" timeout never
                      set interface untrust vip interface-ip 3074 "XBOX Live 2" 10.160.60.25 manual
                      set interface untrust vip interface-ip 88 "XBOX Live 3" 10.160.60.25 manual
                      set address "Trust" "xbox360" 10.160.60.25 255.255.255.255
                      set policy id 11 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "XBOX Live 1" permit log 
                      set policy id 11
                      exit
                      set vip multi-port
                      save
                      restart
                      

Open in new window



credits: http://www.gameskb.com/Uwe/Forum.aspx/xbox-live/1038/Getting-Open-Nat-with-a-Netscreen-5GT-ADSL
credits: http://sangacollins.wordpress.com/networking/xbox-360-open-nat-netscreen/ 

    Succes --- Halo Reach
0
7,843 Views
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Comments (2)

Sanga CollinsSystems Admin
CERTIFIED EXPERT

Author

Commented:
Thank you, i look forward to your response
Thanks!!! great directions.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.