Ask Mr. Andrews: What is NAT Traversal?
“Dear Mr. Andrews” is a new addition to our VoIP Supply Knowledge Base.
Cory Andrews, our Director of New Business Initiatives, will be taking questions on everything you would like to know about VoIP. Here is the first of our series.
Dear Mr. Andrews:
“What is NAT Traversal?
NAT is short for Network Address Translation. You may also hear NAT referred to as “IP Masquerading.” NAT is typically used by a router or firewall to allow devices on a LAN (Local Area Network) with private IP addresses to share a single, public IP address. Why would we want to do this? Since a private IP address is only accessible on the LAN and can only communication with other devices on the LAN, NAT provides translation between private and public IP addresses at the point where the LAN is connected to the Internet. “NAT Traversal” is the passing of traffic through NAT. Devices such as IP Phones typically have private IP addresses, and typically cannot communicate with a SIP registrar on the Internet without some form of NAT.
You can think of a NAT as a translator or intermediary between private and public devices. A device on the LAN that wants to communicate with a device on the Internet will send its traffic to the NAT router, which replaces the source device’s private IP address with its own public IP address and then forwarding this traffic through to the destination device on the Internet. When the device on the Internet responds back, the NAT router cross references its translation tables and locates the original source IP address of the packet, which is the same IP address as the device on the LAN that initiated the connection, and forwards the response to that device.
With VoIP, NAT can be problematic. First off, when connecting to a SIP registrar, devices will try to register with their private IP. The second problem is that firewalls will not pass through inbound messages to a NATed device without an established session or “pinhole.” A session is created when a packet is sent from the NATed device to the Internet. The session pinhole allows the reply from the Internet to traverse the firewall and reach the NATed device. To maintain the session the NATed device behind the firewall must keep sending messages to keep the session/pinhole open. These are called “NAT Keep Alive” messages.
When a connection is originated by a device outside the LAN it is not clear which device on the LAN the connection is meant to be established with. A rule is required to tell the NAT router what to do with the incoming traffic, or it will discard the traffic and no connection will be established. Many NAT routers and firewalls support a DMZ which allows for the setup of simple rules for handling inbound traffic. Another method, called Port Forwarding, allows the NAT router to pass incoming connection requests to different devices on the LAN depending on the type of connection…in this case VoIP traffic.
EdgeWater Networks has developed specialized edge devices that provide NAT and firewall capabilities.