Home network - replacing the ISP router with my Cisco 877 (NAT Question)

Dieselboy · August 06, 2016, 10:24:55 PM

I have a problem - I need to allow any and all incoming traffic (not configured to be allowed) to reach my PS4 games console, whilst also allowing general outbound internet traffic.

The ISP router has a featured called "DMZ Host". But for some reason, the ISP router keeps closing UDP ports and sending an ICMP Unreachable response back to the sender, even when configuring the DMZ host. So, for example, I put my cisco 9971 VPN phone under dmz host and connected the phone to the company VPN. After a little while the VPN drops and the icmp message is sent back and the phone breaks.Basically the ISP router is a load of poop.

In an ASA firewall you can organise your NATs in a hierarchy. You can have a static 1-1 ip to ip nat under another static PAT for the same IP. Basically say you nat http in the PAT. Then all other traffic will match the 1-1 IP to IP nat.

Can a similar config work for an IOS router?

I really want to get rid of the ISP router and put my 877 back in

Dieselboy · August 06, 2016, 10:31:10 PM

Basically, I think the answer to this is YES: if a nat rule is not matched then the the router will check the next one, and if it's matched then it will be used.

Dieselboy · August 07, 2016, 01:09:14 AM

Okay so I played around with this, based on my previous config which worked but only because I had static config per "game". This was fine until I played something new, then the firewall rules and NATs needed changing and at 8pm on a Saturday evening when you're friends are around it's not favourable.

So my new config appears to be working, the PS4 internet test comes back as NAT TYPE 2 - which translates to the PS network can see the PS4 behind a NAT but all needed ports are open. I've not explicitely allowed any ports open.

Here's my config - any thoughts?

NATs:
PS4 = 192.168.192.4
I have left the phone system static nat in place to give an example of where the static nats sit.

Code Select


ip nat pool PS4 192.168.192.4 192.168.192.4 netmask 255.255.255.0 type rotary
ip nat inside source static udp 192.168.192.253 5060 interface Vlan1 5060
ip nat inside source static tcp 192.168.192.253 5060 interface Vlan1 5060
ip nat inside source route-map NAT-MAP interface Vlan1 overload
ip nat inside destination list PS4-PORTS pool PS4

the PS4 ports group:

Code Select


TP-877W(config)#do sh access-list PS4-PORTS
Extended IP access list PS4-PORTS
    10 permit tcp any any (1127 matches)
    20 permit udp any any

The bottom nat rool links the ports to the PS4 IP address.

In the firewall, I've allowed ANY internet source to the PS4 ports group. I like re-using the same groups / class maps where I can, where it's relevant to do so. Because if you do it correctly, you can make one change and the rest of the config falls in line such as above

Dieselboy · August 07, 2016, 01:16:17 AM

I'm still seeing some inbound drops but don't have time to investigate now so will pick it up later.

deanwebb · August 07, 2016, 02:43:17 PM

Does the ps4 have a static address?

wintermute000 · August 07, 2016, 09:39:48 PM

Home consoles and real NAT is a crapshoot. Different games / apps seem to use different ports, none of them documented.
And then strangely, they seem to work fine as long as the main ports are open.
That was my XP with a PS3 anyway.

They seem to rely on uPNP enabled routers.....

Dieselboy · August 08, 2016, 05:54:54 AM

Quote from: deanwebb on August 07, 2016, 02:43:17 PM
Does the ps4 have a static address?

No, that would cost me a whopping $5 per month extra on top of my already extortionate $75 for fibre internet for 25mb. Whereas 50mb internet in England is around half what I'm paying. But yes another IP would be an easy fix

Quote from: wintermute000 on August 07, 2016, 09:39:48 PM
Home consoles and real NAT is a crapshoot. Different games / apps seem to use different ports, none of them documented.
And then strangely, they seem to work fine as long as the main ports are open.
That was my XP with a PS3 anyway.

They seem to rely on uPNP enabled routers.....

Completely correct! uPNP was in full force on the Telstra router but the Telstra router randomly blocks traffic for no apparent reason, I know for sure the "DMZ Host" config in the Telstra router just didn't work for UDP.

=====================

So after reading up about the different nat combinations, the config I listed above which seemed to work okay is actually not supposed to work. The config above according to Cisco doc. should be making my PS4 be visible on the internet with it's "inside local" IP address which is it's 192.168 address (which is not routable on the internet).

So I took that config line out and instead modified the NAT route-map to say the following:

Code Select


ip nat inside source route-map NAT-MAP interface Vlan1 overload

route-map NAT-MAP permit 10
 match ip address NAT
route-map NAT-MAP permit 20
 match ip address ANY-TCPUDP

do sh access-list ANY-TCPUDP
Extended IP access list ANY-TCPUDP
    10 permit object-group OGPS4 object-group PS4 any

do sh run | sec OGPS4
object-group service OGPS4
 tcp-udp range 1 65535

object-group network PS4
 host 192.168.192.4

Seems to be one or both of two things:
1. working
2. a fudge

The idea is that, if my laptop (example) hasn't created a connection/ nat to the outside world then it's free for the PS4 to use both outbound and inbound.
I'm just not 100% sure if traffic from the internet to the PS4 will be allowed and routed to the PS4.

Last thing - I believe I was wrong about the way NAT rules are thought about by the router. I mentioned a top-down type but whilst thinking later on yesterday I believe theres's an order of operations. I'll refresh my memory on that soon.

deanwebb · August 09, 2016, 10:34:52 AM

Well, I meant if the PS4 had a static IP on the home LAN.

Dieselboy · August 09, 2016, 10:55:24 PM

Quote from: deanwebb on August 09, 2016, 10:34:52 AM
Well, I meant if the PS4 had a static IP on the home LAN.

Yes

Well, it's a DHCP reservation because I didn't want to mess with the PS4 settings too much.

If I get time I'll log a tac and ask them the question.

deanwebb · August 10, 2016, 07:41:41 PM

You know you're a true geek when you have a support contract for your home gear.

Dieselboy · August 10, 2016, 08:33:30 PM

I have a 24x7x4 support contract for my firewall in Sri Lanka which is running mostly the same config. I would like to open a range of ports from any internet host to an internal device in Sri Lanka. I would like to know the best way to go about doing this.

To be honest I wouldn't be surprised if TAC say "No way jose! It's a security risk and it's not supported" or something like that.

I did have TAC support on my 2901 voice router when I was doing the voice certs a few years ago. Came in very handy!