XBox 360 open NAT setup Juniper Netscreen / SSG
Published on
13,750 Points
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment.
natwarning.jpg
These instructions are based on ScreenOS 6.2, but are easily adaptable to devices running versions 5.4 and above.
Setting up requires you to setup custom services, and then create VIP service entries. You can do that via WebUI or CLI (Command Line Interface - Telnet or SSH).
Using WebUI:
1] Create the custom services
Go To: Policy > Policy Elements > Services > Custom. Create the following three services
Xbox Live 1 -
UDP scr port: 0 – 65535 dst port 3074-3074
TCP scr port: 0 – 65535 dst port 3074-3074
UDP scr port: 0 – 65535 dst port 88-88
Timeout Never
Xbox Live 2 -
UDP scr port: 0 – 65535 dst port 3074-3074
TCP scr port: 0 – 65535 dst port 3074-3074
Timeout 30
Xbox Live 3 -
UDP scr port: 0 – 65535 dst port 88-88
timeout 30
2] On the Untrust Interface create a VIP and then add the services for Xbox Live 2 and Xbox Live 3 pointing to the Xbox’s Static IP address.
Go To: Network > Interfaces > Edit > VIP/VIP Services > New VIP service
Virtual IP: Untrust IP address
Virtual Port: 3074
Map to Service: Xbox Live 2 (3074)
Map to IP: <Xbox-ip>
Server Auto: False
Click OK
Repeat for 'Xbox Live 3'
Note that you do not do this for Live 1, since all services are already covered by the other two definitions.
3] Create Security Policy
Go To: Policy > Policies (From Untrust To Trust) & create a New Policy with the following settings
Name: Xbox_OpenNAT
Source Address: Any
Destination Address: VIP(untrust)
Service XBOX Live 1
Action: Permit
Logging: True
4] Enable multiple virtual port creation
From the console run the following command. You can get to the console by telnet to the trust interface ip or using a console cable.
From the Command Line:
credits: http://www.gameskb.com/Uwe/Forum.aspx/xbox-live/1038/Getting-Open-Nat-with-a-Netscreen-5GT-ADSL
credits: http://sangacollins.wordpress.com/networking/xbox-360-open-nat-netscreen/
natwarning.jpg
These instructions are based on ScreenOS 6.2, but are easily adaptable to devices running versions 5.4 and above.
Setting up requires you to setup custom services, and then create VIP service entries. You can do that via WebUI or CLI (Command Line Interface - Telnet or SSH).
Using WebUI:
1] Create the custom services
Go To: Policy > Policy Elements > Services > Custom. Create the following three services
Xbox Live 1 -
UDP scr port: 0 – 65535 dst port 3074-3074
TCP scr port: 0 – 65535 dst port 3074-3074
UDP scr port: 0 – 65535 dst port 88-88
Timeout Never
Xbox Live 2 -
UDP scr port: 0 – 65535 dst port 3074-3074
TCP scr port: 0 – 65535 dst port 3074-3074
Timeout 30
Xbox Live 3 -
UDP scr port: 0 – 65535 dst port 88-88
timeout 30
2] On the Untrust Interface create a VIP and then add the services for Xbox Live 2 and Xbox Live 3 pointing to the Xbox’s Static IP address.
Go To: Network > Interfaces > Edit > VIP/VIP Services > New VIP service
Virtual IP: Untrust IP address
Virtual Port: 3074
Map to Service: Xbox Live 2 (3074)
Map to IP: <Xbox-ip>
Server Auto: False
Click OK
Note that you do not do this for Live 1, since all services are already covered by the other two definitions.3] Create Security Policy
Go To: Policy > Policies (From Untrust To Trust) & create a New Policy with the following settings
Name: Xbox_OpenNAT
Source Address: Any
Destination Address: VIP(untrust)
Service XBOX Live 1
Action: Permit
Logging: True
4] Enable multiple virtual port creation
From the console run the following command. You can get to the console by telnet to the trust interface ip or using a console cable.
set vip multi-port
save
restart
From the Command Line:
set service "XBOX Live 3" protocol udp src-port 0-65535 dst-port 88-88 timeout 30
set service "XBOX Live 2" protocol udp src-port 0-65535 dst-port 3074-3074
set service "XBOX Live 2" + tcp src-port 0-65535 dst-port 3074-3074
set service "XBOX Live 2" timeout 30
set service "XBOX Live 1" protocol udp src-port 0-65535 dst-port 3074-3074
set service "XBOX Live 1" + tcp src-port 0-65535 dst-port 3074-3074
set service "XBOX Live 1" + udp src-port 0-65535 dst-port 88-88
set service "XBOX Live 1" timeout never
set interface untrust vip interface-ip 3074 "XBOX Live 2" 10.160.60.25 manual
set interface untrust vip interface-ip 88 "XBOX Live 3" 10.160.60.25 manual
set address "Trust" "xbox360" 10.160.60.25 255.255.255.255
set policy id 11 from "Untrust" to "Trust" "Any" "VIP(untrust)" "XBOX Live 1" permit log
set policy id 11
exit
set vip multi-port
save
restart
credits: http://www.gameskb.com/Uwe/Forum.aspx/xbox-live/1038/Getting-Open-Nat-with-a-Netscreen-5GT-ADSL
credits: http://sangacollins.wordpress.com/networking/xbox-360-open-nat-netscreen/
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.