52
NAT (Network Address Translation)
Network Address Translation is an Internet standard that allows a LAN (Local Area Network) to use a set
of IP addresses for internal traffic and another address (or set of addresses) to connect to services on an
external network (the internet, for example). Devices that implement NAT are located at boundaries
between the LAN and the external network, and their purpose is to provide translation of IP addresses for
all packets that are destined for the external network. Many organizations use NAT as a security
mechanism because it masks the internal IP addresses—if hackers do not know the IP address of a
machine, they cannot attack it and cause disruptions. NAT also allows a company to use more IP
addresses than they might otherwise be allocated. Since these addresses are only used internally, there is
no problem with IP address conflicts with other organizations.
Problems with Video and Voice Communications on NAT/Firewall Protected Networks
The IP based voice and video protocols like H.323 require that terminals be capable of establishing audio-
video communication channels using IP addresses and data ports. In this situation, a problem arises:
terminals must “listen” for incoming calls to establish IP connections, but the firewall is generally
configured in such a way as not to allow packets past that are not expressly requested. Even if the network
administrator left a port open for the terminal to receive notification of a call (port 1720, designated as a
“well-known TCP port”) the video and voice communication protocols for IP necessitate the opening of
other ports in order to receive control messages and open audio and video channels.
The identities of these additional ports are determined dynamically, not in advance, meaning that the
network administrator would have to open all the firewall ports to allow video and voice communication,
thus virtually disabling the firewall. Network administrators are unlikely to do this (and wisely so), since it
effectively eliminates network security policies. NAT also creates an obstacle for voice and video
communications over IP. NAT allows an organization to assign private IP addresses to machines on the
local network, but routers that control the flow of data towards the Internet can handle only packets with
routable addresses or public IP addresses.
A terminal located behind the NAT device on the LAN can initiate communication with any other terminal in
the same LAN because the IP addresses within the LAN are routable, meaning that it is possible to have
subnets in a company managed by an internal router. This allows the establishment of audio-video
communications on different branches of the subnet.
Because they have private addresses, and are therefore not accessible from outside the NAT, terminals
on the LAN cannot be reached by externally originating calls. Even if they initiate calls to external
terminals, a problem still arises. When the call is initiated, the IP address of the calling terminal is
contained in the payload of the packet sent. The destination terminal receives call setup packets,
examines them and starts to transmit audio and video towards the terminal from which the call was
received, and from which the IP address was obtained by examining the contents of the received packets.
If this IP address is private, the router for Internet access discards the audio and video packets sent from
the terminal external to NAT towards the internal terminal because the packets sent were non-routable.
The connection between two terminals appears to be successful but in reality the NAT-internal terminal
never receives the audio or video from the external terminal.
Solution for the NAT/Firewall Problem
The only equipment that does not create any of the problems described above is a NAT/firewall H.323-
compatible device. Such a firewall does not block the TCP 1720 port and allows access to the other,
dynamically-determined H.323 ports.
Videoconferencing systems usually have private IP addresses that are not accessible from external
routers. To allow calls to function properly, the network administrator can define static NAT (a permanent
Содержание Maia XC
Страница 1: ...Maia XC Use and installation manual ...
Страница 15: ...15 Cabling Scheme ...