PIX 501 NAT Moderate

Unanswered Question
Sep 26th, 2007
User Badges:


I have a PIX501 at my house with the following setup:

Motorola Cable Modem connect to my PIX 501.

Pix 501 connected to my Linksys WRT350N wireless router.

My XBOX360 connected wireless to my router

The PIX is handing out IPs DHCP. The router is set not to not issue IPs. So its acting more like an access point.

Im trying to play Halo 3 online and its telling me I need to change my NAT settings because they are set to Moderate and need to be set to open.

I am going to make sure that the router is set to NAT disabled and Dynamic Routing Enabled.

But what do I need to put in the PIX so that it does NAT Open and not Moderate?

I have the following NAT command in it now:

nat (inside) 1 0 0


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kirvin1 Thu, 09/27/2007 - 06:14
User Badges:

Our University campus is having the same issue with Halo 3. Many students are getting "moderate network" error messages and can't connect to any Halo 3 servers.

Our NAT device is an ASA 5500 series appliance.

Any feedback would be appreciated.

1cmerchant Thu, 09/27/2007 - 07:11
User Badges:

I just switched from a Pix 501 to an ASA 5505 on my home network a few weeks ago, but haven't been having any problems playing Halo 3. Using standard outbound dynamic PAT, with no special application filtering rules other than the global defaults. Perhaps you could post a sanitized version of your config and that will shed some light?

kirvin1 Thu, 09/27/2007 - 09:36
User Badges:

I got some clarification on the problem. It looks like students are able to connect to Halo 3 servers on the Internet. However, They cannot connect to servers on the local network. I'm using a Clean Access in-band appliance as the default router. I added policy to their role to allow all TCP/UDP/and ICMP traffic, but they still can't connect.

readymixed1 Wed, 10/03/2007 - 08:30
User Badges:

I emailed Cisco to see if they had any ideas on how to fix this problem.

Has anyone else gotten any information on this and/or a fix?

readymixed1 Thu, 10/04/2007 - 11:40
User Badges:

I found a fix, Im still looking into how to put it into my PIX, but on a router you put in the following:

XBOX Live uses the following ports:

TCP: 3074

UDP: 88 & 3074

Therefore you have to do a port forwarding for TCP 3074 and UDP 88 & 3074.

keithcroft Mon, 11/19/2007 - 15:00
User Badges:

This is what I have on my Pix 501

Note: I have my 360 hard coded on my network as

static (inside,outside) tcp interface 3074 3074 netmask 0 0

static (inside,outside) udp interface 3074 3074 netmask 0 0

static (inside,outside) udp interface 88 88 netmask 0 0

access-list outside permit tcp any interface outside eq 3074

access-list outside permit udp any interface outside eq 3074

access-list outside permit udp any interface outside eq 88

Hope this helps.


This Discussion