NAT TRAVERSAL SOLUTION

1 2

NAT TRAVERSAL SOLUTION

H.323 NAT Technology

problem
NAT Firewall

solution
NAT Firewall

IP phone origination endpoint H.225 H.245 Q.931

Gatekeeper

IP phone termination endpoint H.225 H.245 Q.931

IP phone origination endpoint port H.225 7010 H.245 tunnels Q.931

Gatekeeper

IP phone termination endpoint H.225 H.245 Q.931

RTP/RTCP

RTP/RTCP

RTP/RTCP

RTP/RTCP

problems
Usage of private IP addresses and NAT firewall to prevent connections to be established to devices behind the NAT firewall. H.323 protocol uses three types of network connections for a VoIP call. Any problem that causes the loss or inability to establish any of these three connections will result in H.323 call failure. Call Signal (Q.931/H.245) is a TCP network connection that can not be established from outside the NAT firewall. Call Setup (RAS) is a UDP network connection that may have different send and receive ports. Call Voice Data (RTP/RTCP) is a UDP network connection that may have different send and receive ports.

solution
There are two call scenarios: Outbound Calls In this scenario, the call origination party is behind NAT. For outbound calls to support two-way audio, the following conditions must be met: 1 The H.323 origination endpoint (IP Phone, Soft Phone, etc.) must use the same port to send and receive RAS messages. The default port for RAS communication is 1719. 2 The H.323 origination endpoint (IP Phone, Soft Phone, etc.) must use the same port to send and receive RTP/RTCP voice data packets. If the send and receive ports are different - the connection will support one-way audio only.

Inbound Calls In this scenario, the calls are originated from outside the NAT firewall and terminated into the endpoint which is behind the NAT firewall. Unfortunately, due to the fact that the call must be established outside the NAT firewall it will be dropped by the firewall unless one of the following methods is used: 1 NAT Traversal - this is special software that runs on the endpoint and on the gatekeeper that supports permanent socket connection between them to transfer call data. Since the socket is established and supported from the endpoint (behind NAT) to the gatekeeper (outside the NAT) this connection is constantly available and can be used to make a successful inbound call. 2 Bi-directional NAT Firewall - this is a special NAT firewall that will translate outside connection into inside port number or IP address. 3 DMZ NAT Firewall - some firewall allow DMZ settings that allow direct packet routing to particular IP address that represents the endpoint behind the NAT firewall.

NAT T R AV E R S AL S OL UT I ON

2 2

S IP N A T T e c h n o lo g y
p ro b le m
NAT F irewall

s o lutio n
NAT F irewall

IP phone origination endpoint

G atek eeper

IP phone termination endpoint

IP phone origination endpoint 5060 S IP C ontrol M es s gaes

G atek eeper

IP phone termination endpoint

S IP C ontrol M es s gaes

R T P /R T C P

R T P /R T C P

R T P /R T C P

R T P /R T C P

p r o b le m s
Us age of private IP addres s es and NAT firewall to prevent connections to be es tablis hed to devices behind the NAT firewall. S IP protocol us es two types of network connections to complete a VoIP call. Any problem that caus es the los s or inability to es tablis h any of thes e two connections will res ult in S IP call failure. C all Mes s age is a TC P or UDP network connection that can not be es tablis hed from outs ide the NAT firewall. C all Voice Data (R TP /R TC P ) is a UDP network connection that may have different s end and receive ports . S ome companies us e S TUN s ervers to facilitate connections of endpoints behind NAT, but thes e s ervers are us ually us ed for endpoints that do not comply with univers al requirements . However, mos t contemporary endpoints including all C is co S IP P hones allow TTL and port s etting to accommodate the NAT.

s o lu tio n
Inbound C alls In this s cenario, the calls are originated from outs ide the NAT firewall and terminated into the endpoint which is behind the NAT firewall. Due to the nature of the S IP protocol, inbound calls behind NAT are pos s ible if the following conditions are met: 1 The R egis trar and the proxy S IP S erver mus t res ide on the s ame network s erver (have the s ame IP addres s ). The fact that the endpoint s ends UDP regis tration call mes s ages according to its TTL (time-to-live) parameter to the S IP R egis trar, allows the NAT firewall to maintain an open port from the internal endpoint (IP P hone, S oft P hone, etc.) to the S IP R egis trar/P roxy. This open firewall port is us ed by the P roxy to s end inbound C all Mes s ages to the endpoint (us ually on port 5060). 2 Low TTL (time-to-live) s etting on the endpoint (us ually 60 s econds ) needs to be les s than the corres ponding TTL parameter for connection pers is tency on the NAT firewall. 3 The endpoint mus t s end and received C all Mes s ages on the s ame port (default 5060). 4 The endpoint mus t s end and receive R TP voice data on the s ame port (other than 5060). Once the C all Mes s age is received by the endpoints , it opens an UDP s es s ion to the S IP P roxy to allow R TP voice data trans fer.

s o lu tio n
Outbound C alls In this s cenario, the call origination party is behind NAT. For outbound calls to s upport two-way audio, the following conditions mus t be met: 1 The S IP origination endpoint (IP P hone, S oft P hone, etc.) mus t us e the s ame port to s end and receive C all Mes s ages . The default port for C all Mes s age communication is 5060. 2 The S IP origination endpoint (IP P hone, S oft P hone, etc.) mus t us e the s ame port to s end and receive R TP /R TC P voice data packets . If the s end and receive ports are different then the connection will s upport one-way audio only.

SysMaster 2700 Ygnacio Valley Rd, Suite 210 Walnut Creek, CA 94598 United States of America

Email: sales@sysmaster.com Web site: www.sysmaster.com

Notice to Recipient: All information contained herein and all referenced documents (the "Documents") are provided subject to the Terms of Service Agreement (the "Terms") found on SysMaster website http://www.sysmaster.com (The "Site"), which location and content of Terms may be amended from time to time, except that for purposes of this Notice, any reference to Content on the Site shall also incorporate and include the Documents . The Recipient is any person or entity who chooses to review the Documents. This document does not create any express or implied warranty by SysMaster, and all information included in the Documents is provided for informational purposes only and SysMaster provides no assurances or guarantees as to the accuracy of such information and shall not be liable for any errors or omissions contained in the Documents, beyond that provided for under the Terms. SysMaster's sole warranty is contained in the written product warranty for each product. The end-user documentation shipped with SysMaster products constitutes the sole speci cations referred to in the product warranty. The Recipient is solely responsible for verifying the suitability of SysMaster's products for its own use. Speci cations are subject to change without notice. 2007 SysMaster. All rights reserved. SysMaster, SysMaster's product names and logos are all trademarks of SysMaster and are the sole property of Sysmaster.