Because they have private addresses, and are therefore not accessible from outside the NAT, terminals on the LAN cannot be
reached by externally originating calls. Even if they initiate calls to external terminals, a problem still arises. When the call is
initiated, the IP address of the calling terminal is contained in the payload of the packet sent. The destination terminal receives
call setup packets, examines them and starts to transmit audio and video towards the terminal from which the call was
received, and from which the IP address was obtained by examining the contents of the received packets.
If this IP address is private, the router for Internet access discards the audio and video packets sent from the terminal external
to NAT towards the internal terminal because the packets sent were non-routable. The connection between two terminals
appears to be successful but in reality the NAT-internal terminal never receives the audio or video from the external terminal.
Solution for the NAT/Firewall Problem
The only equipment that does not create any of the problems described above is a NAT/firewall H.323-compatible device. Such
a firewall does not block the TCP 1720 port and allows access to the other, dynamically-determined H.323 ports.
Videoconferencing systems usually have private IP addresses that are not accessible from external routers. To allow calls to
function properly, the network administrator can define static NAT (a permanent association between a private IP address and
a public IP address reserved for H.323 videoconferences) for every terminal that must be accessible from an external
connection.
The NAT device substitutes the static IP address in the payload and header setup packet sent from the internal terminal to the
external terminal. The destination terminal uses that address for addressing the reply packets, which are routed through the
NAT device to the internal terminal.
Firewall ALG
Application Level Gateways (ALGs) are firewalls programmed to recognize specific IP protocols like H.323.
Instead of looking only at the information contained in packet headers to determine whether to transmit or block packets, ALGs
analyse in detail the data contained in the payload packet. The H.323 protocol inserts important control information such as
audio and video port identification in the payload packets. The terminal expects to receive audio and video connections from
the remote calling terminal on these ports. By analysing which port the terminal expects to use, the ALG dynamically opens
only those ports, leaving the others closed to preserve network security. An example of a firewall ALG follows.
The Aethra Application Level Gateway is present in the Aethra Stargate xDSL Router and allows any videoconferencing
terminal, independent of its manufacturer, resolve the NAT/firewall problem. The Stargate router is capable of checking every
incoming and outgoing H.323 call and dynamically opening only the ports being used for the H.323 videoconference.
The Stargate router also supports NAT functionality and is therefore capable of substituting the public NAT address for the
private IP address automatically inserted in the H.323 payload packets by the internal terminal. When the Aethra ALG
functionality is used with an Aethra videoconferencing system, the “Aethra NAT” function of the videoconferencing system
must be disabled because the network equipment is H.323 compatible.
85