NAT and VOIP

What is NAT?

NAT (Network Address Translation) is a technology most commonly used by firewalls and routers to allow multiple devices on a LAN with 'private' IP addresses to share a single public IP address. A private IP address is an address, which can only be addressed from within the LAN, but not from the Internet outside the LAN. In order to let a device with a private IP address communicate with other devices on the Internet, there needs to be a translation between private and public IP addresses at the point where the LAN connects to the Internet, that is within the firewall/router connecting the LAN to the Internet. Such a translation is commonly referred to as NAT (for Network Address Translation) and a router doing such translation is often called a NAT router or NAT firewall/router. Sometimes NAT is also called IP Masquerading. The passing of traffic through NAT is called NAT Traversal.

The way NAT works is in principle rather simple. When a device on the LAN initiates a connection with a device on the Internet, the device will send all traffic to the NAT router first. The NAT router then replaces the source address, which is the device's private address, with its own public address before passing the traffic to its destination on the Internet. When a response is received, the NAT router searches its translation tables to find the original source address of the packet from which the device on the LAN originally started the connection and thus passes the response to that device.

Unfortunately, when a connection is originated by a device on the Internet outside the LAN it is not clear which device on the LAN the connection is meant to be established with. In this case there needs to be some rule that tells the NAT router what to do with the incoming traffic, otherwise it will simply discard the traffic and no connection will be established. If the NAT router supports what is commonly referred to as a 'software DMZ' it can handle simple rules, such as "pass all incoming connection requests to the device with address 192.168.0.2". Another technique, called port forwarding allows the NAT router to pass incoming connection requests to different devices on the LAN depending on the type of connection (ie web or mail connection). However, if there are multiple devices on the LAN to which a certain type of connection from outside may need to be established, then neither a software DMZ nor port forwarding will be sufficient.

Sometimes people (those without network experience) have difficult to understand if their host is or not behind NAT, there is a website that will test to see if you are behind NAT (you need to have Java): (amibehindnat.com).

The Trouble with NAT and VOIP

In addition, the way in which conventional VoIP protocols are designed is also posing a problem to VoIP traffic passing through NAT. Conventional VoIP protocols only deal with the signalling of a telephone connection. The audio traffic is handled by another protocol and to make matters worse, the port on which the audio traffic is sent is random. The NAT router may be able to handle the signalling traffic, but it has no way of knowing that the audio traffic is related to the signalling and should hence be passed to the same device the signalling traffic is passed to. As a result, the audio traffic is not translated properly between the address spaces.

At first, for both the calling and the called party everything will appear just fine. The called party will see the calling party's Caller ID and the telephone will ring while the calling party will hear a ringing feedback tone at the other end. When the called party picks up the telephone, both the ringing and the associated ringing feedback tone at the other end will stop as one would expect. ...