What is NAT and why is NAT Traversal required?

This article gives an introduction to NAT – Network Address Translation, explains why NAT is required, gives an introduction to NAT Traversal (required for certain streams like SIP/H.323) and lists the techniques available for doing the NAT Traversal.

What is NAT?

NAT is the short form of Network Address Translation. Basically, there are two types of IP addresses. Private IP addresses which are used within a network (LAN) and Public IP address which is used for devices to connect to public servers in the Internet. While there are enough private IP addresses to be assigned to all the computers of a LAN private network, there are only a limited number of public IP addresses that can be given to companies to communicate with the outside network.

Let us assume that a company has only one public IP address but several private IP address dynamically assigned by the DHCP server for all its computers. So, a NAT application (Router, Firewall) would change the source address (private IP address) on every outgoing packet from the internal computers in to the single public IP address. But it assigns a different source port for packets coming from each computer, so that while the packets return with a single public IP address, it can still remember which packet needs to go to which computer (Every IP address has source IP, destination IP and associated port numbers). Of course, while coming back, the packets are re-assigned with its respective private IP address of the computer it needs to go to and the public IP address is discarded by the NAT application. This complex process is managed by a port mapping table managed by the NAT application, for all the incoming and outgoing packets from a network.

There is one more reason for using a NAT – Security. As the internal IP addresses are changed for all the computers at the gateway level, the internal IP addresses are never revealed to the external computers receiving the packets/ intercepting the packets.

What is NAT Traversal and why is it required?

Any incoming packets (which come directly from unsolicited sources) would be blocked by such a NAT appliance, as the internal PC’s and IP phone extensions are non-routable from the public network. But most of the incoming calls in IP Telephony (SIP, MGCP) and Video Conferencing applications (H.323) come directly from external sources. Also complicating the whole thing is the behaviour of some firewalls: Some firewalls block traffic based on the direction of their flow. They do not allow packets from outside the network to come inside, without any of the internal systems requesting for the same. But the very idea of IP telephony is to allow anyone from outside to call anyone inside the network. So, in such cases NAT/Firewall traversal is required selectively.

Types of NAT/Firewall Traversal:

¤ Universal Plug and Play (UPnP): VoIP applications require to discover and use the external IP addresses and the port numbers that NAT selects for signalling and media flows – The SIP clients calling from outside can put this information in to the SIP signalling and establish a call. UPnP allows client applications (Firewalls, SIP Phones) to work with each other and find out and establish a call in that manner but all the client applications need to be UPnP compliant (have the software pre-loaded). So, all the involved vendors need to support this.

¤ Simple Traversal of UDP through Network Address Translators (STUN): This method involves a STUN server, in the public address space, accessible to the clients calling from outside the network. But the clients need to be STUN enabled, beforehand. Such clients sends an exploratory message to the STUN server to determine the required information. The STUN server examines the incoming message and informs the client of the public IP address and ports to be used for NAT traversal.

¤ Application Layer Gateway (ALG): This technique proposes the replacement (or up-gradation) of the existing NAT/Firewall with ALG. The ALG can change the signalling to reflect the public IP addresses and ports used by the signalling and media streams and hence the call can be established from outside.

¤ Manual Settings: This method involves using static NAT addressing. That is, each client is manually configured in the NAT to use the public IP address and a certain port every time. These details need to be configured with the external client (SIP phone) now, to establish a call.

¤ Tunneling: In this technique, there are two servers – one outside the network and another inside the network. The server which is outside receives the SIP traffic, modifies its signalling to reflect the public ip address and the port numbers associated with the NAT, creates a tunnel with the other server sitting inside the network (the firewall is reconfigured to allow this traffic) and carries only the SIP signalling and media traffic, in to the network.

¤ Proxy Server: In this technique, two proxy servers sit in-between the IP PBX, internal SIP phones and the external SIP phones. The SIP signalling packets from outside the network are directed to the signal proxy server, which appends the information to include its own ip address and port information and sends it to the PBX. The PBX will send back an ACK message to the proxy, which is forwarded to the calling SIP phone with the required information to set up a media stream connection with the media proxy server. The media proxy then forwards these packets to the internal SIP phones. In the whole process, the external SIP phones assume that the proxy server is the PBX/ internal SIP phones and vice-versa.

You can stay up to date on the various computer networking technologies by subscribing to this blog with your email address in the sidebar box that says ‘Get email updates when new articles are published’