[Serusers] symmetric nat/ broadband routers
Klaus Darilion
darilion at ict.tuwien.ac.at
Thu Dec 4 18:24:12 CET 2003
Shouldn't 'commercial grade' firewalls support SIP/RTP? I know cisco
firewalls doing SIP and NAT traversal very well.
Klaus
> -----Original Message-----
> From: Hans Eriksson [mailto:hansa at mac.com]
> Sent: Thursday, December 04, 2003 6:13 PM
> To: Klaus Darilion
> Cc: <serusers at lists.iptel.org>
> Subject: Re: [Serusers] symmetric nat/ broadband routers
>
>
> Klaus,
>
> Many commersial grade firewalls do not keep sessions alive,
> regardsless
> of external pings, so it won't work in rather too many cases.
>
> Also, assuming many users (10k, 100k) doing natpings will be heavy.
>
> But alas, NATs are a hack and maybe the only remedies will also be
> hacks, with all the pros and cons.
>
> cheers
> /hans
>
> 4 dec 2003 kl. 17.43 skrev Klaus Darilion:
>
> > Yes, the ports at the client are identical, but the NAT router uses
> > other ports at the public interface, e.g. if the client
> behind the NAT
> > uses port 5060 for SIP (send&receive), the NATs publice
> interface may
> > user for example port 50000. Therefore, the client listen
> on port 5060,
> > but the packets have to be sent to port 50000 of the public
> IP address
> > and then the NAT router rewrites the port back to 5060. Hence, the
> > nathelper modules rewrites the IP address and the port in
> the contact
> > header before saving them in the location database.
> >
> > If the session in the NAT router times out although using natping,
> > thats
> > a pit. Maybe it helps to ping the proxy from the client, e.g. the
> > budgetone phones support keep alive pinging.
> >
> > Klaus
>
>
More information about the sr-users
mailing list