The four pitfalls of NAT

There are four basic pitfalls of NAT that everyone should learn. Understand these pitfalls and you will be well-equipped to handle the NAT scenarios that you'll no doubt face:

  • NAT can be there even when you don't know about it. The Internet does not have to be involved.
  • Any two techniques to defeat NAT used together will cancel each other out.
  • Some devices use a SIP ALG (Application Layer Gateway) to defeat NAT. They even do that without telling you.
  • NAT correction techniques (like ALG) can falsely identify a situation and actually make things even worse.

Become familiar with these pitfalls. They are referenced frequently throughout this chapter.

Let's discuss each of these in more detail:

  • NAT can be there even when you don't know it. The Internet does not have to be involved: If you are using home Internet service from your cable or telephone company, or even in some cases a business-class service, they may on occasion use NAT to put all of their customers in a separate network and then translate that network to other segments in their infrastructure. This could happen not just once but multiple times between your device and its destination and you have no control over it. This can cause some real problems for people trying to use VoIP. Most VoIP protocols only have basic provisions for dealing with NAT and often fall short. This is probably the first problem that most home-users will encounter when trying to use VoIP from their homes. NAT can also be used in this fashion inside a LAN connecting multiple LANs without actually reaching the Internet. Getting on the Internet is just the most popular use for NAT but it can be used just as well to isolate one LAN from another. If you're asking your friendly neighborhood VoIP guru for help and he suggests a NAT problem, don't count it out just because you are not using the Internet or because you don't know NAT is there.
  • Any two techniques to defeat NAT used together will cancel each other out: This one is tricky and a very popular issue among VoIP users. The best way to visualize it is to picture a game of Othello. Whenever you make a move to block the NAT it flips everything around. If you make a counter move, it flips it all back. This might even be happening more than you think (see the first pitfall). As long as it's an odd number of flips and you started out with a non-working situation you should end up okay, but you should make it a point to do only the most minimal modifications possible to avoid confusion and pain. If your phone supports NAT features and you enable them and also enable them on FreeSWITCH, you may end up with one-way or no audio. What's even more confusing is that there are so many ways to cancel out NAT. Some require only changes on your phone behind the NAT, while some require changes only on FreeSWITCH and some require a change on both ends.
  • Some devices use a SIP ALG to defeat NAT: "Arrrghh, curse you SIP ALG!". We've heard that being exclaimed countless times over IRC or on a community conference call. ALGs mean well but they usually mess things up real bad. They are like a combination of the first two pitfalls because they are usually implemented inside your provider or in your network router and enabled by default without your knowledge. They do the worst and last resort of all the ANTI-NAT techniques that is modifying the text of SIP packets as they pass through your router. This can lead to misbehaviors and misrouted traffic that will present itself to you as a complete mystery. Heed my words. If you find yourself uttering the phrase, "This makes absolutely no sense", the first thing you should check is to see if you are under the evil spell of a SIP ALG. In many cases, simply turning off a SIP ALG resolves NAT-related issues.
  • NAT correction techniques can falsely identify a situation and actually make things even worse: It helps to understand your surroundings at least enough to know if you actually need to enable ANTI-NAT features. Some SIP agents make use of the more arcane aspects of SIP and do really fancy things with the network addresses in the packet. For those of you unfamiliar with SIP, yes I know it's all arcane but we need to keep things in perspective. So the problem is, completely legitimate packets that are just doing things in a way that resemble NAT can trigger some of the features we use to detect NAT. So you need to be careful, especially with Cisco phones that are notorious for being bad behind NAT and subject to false detection at the same time.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset