NAT

From open-voip.org

Jump to: navigation, search

What is NAT?

NAT - Network Address Translation

  • Helps to use the same private networks behid each public IP, which extend the number of the addresses that can be used.
  • Allow better security as the privtae networks are not reachable from the public network directly.

The following are the NAT IP ranges, which are not routebale in the public internet and can be used behind every valid public IP that supports NAT.

File:NAT_renages.GIF

HOW does NAT works?

The NAT device will translate each packet that comes from the private network (10.10.10.X in the diagram below) to its public IP (100.100.100.100) and unique port for each source private IP:port (e.g: allocate port 20000 in 100.100.100.100 for packets from source: 10.10.10.2:5060). This port allocation ("hole") will be opened on the first packet from the privtae network that goes out to the public and will stay open as long as there is traffic on this port. the port will be closed after period of time that there is no traffic on the port. The idle time for closing the port is diffrent between the NAT models and may take 30 sec to few minutes. If the port was closed and a new session is started (with the same source IP:port) a new port may be allocated by the NAT device. that may cause issues for VOIP traffic, I will discuss it in the NAT & VOIP problems page.

File:NAT_diagram.GIF

This table shows an example of port allocation of NAT device for each source IP:port. This table represent the first three types of NAT whre the destination IP:port has no meaning.

File:NAT_port_allocation.GIF

NAT types

Type 1 - Full cone NAT

Type 2 - Restricted cone NAT

Type 3 - Port-Restricted cone NAT

Type 4 - Symetric NAT

While for the first three types the NAT device will allocate external ports for each source IP:port, the forth type (symetric) will allocate external ports for each source IP:port AND destination port IP. So, for example in the first three types, a packet that was sent from the private PC 10.10.10.2:5060 to any server in the public network, will get the external port 100.100.100.100:20000. it will get the same port when sending to 50.50.50.50:5060, 50.50.50.50:4569 or even 60.60.60.60:XXXX. But if there is symetric NAT (type 4) each of the above destinations (50.50.50.50:5060, 50.50.50.50:4569, 60.60.60.60:XXXX) will get unique port even if the source IP:port (10.10.10.3:5060) was identical in all cases.

The following Table shows the NAT types and their diffrences. It shows from which servers the reply-packets will be allowed to access the private IPs and from which IPs/Port - not.

File:nat_types.GIF


Personal tools