10-29-2014 03:10 AM - edited 03-05-2019 12:03 AM
Hi,
I was wondering if anyone could help me with a little theory on a common nat probem.
I hear that NAT can break when multiple hosts use the same applications such as FTP/SIP/instant messaging/Online Gaming, and I'd like to understand why.
In the lay community upnp is hailed as the solution to this problem. But as far as i can tell upnp just allows some degree of automatic configuration using sub protocols in an insecure way.
I am trying to use a cisco 887VA as my home router which does not support upnp but does have a number of features to help sip & vpns traverse nat.
At the moment, if I hit this issue the only thing I can think of is bridging the modem of the 887 through to an ethernet port. using a home router for nat, then looping this back in to another ethernet port on the router. which seems silly.
Any help greatly appreciated.
David
Solved! Go to Solution.
10-31-2014 10:09 AM
A1: FTP and SIP use a control port (21/tcp) to set up the details of what they're sending. Overloaded NAT doesn't have a problem with this. Once the details have been exchanged, both protocols use random agreed-upon ports for their payloads. This is where overloaded NAT breaks, mostly because the NAT engine has no understanding of how to correctly send the payload traffic to the proper destination.
A2: UPNP is essentially a low-level proxy on consumer-grade routers that allows applications to register the ports that they need directly with the router. This eliminates the need for the NAT engine to guess at the ports being used. Most business-grade routers don't support this because it allows users to forward anything they want to their own machines.
A3: The 887 has inspection features to be able to snoop the FTP and SIP control protocols in order to dynamically permit traffic, but this only exists for well-known protocols. Things like Xbox Live aren't going to be covered by this.
For your application, it sounds like a consumer-grade router fits your requirements better than what you're using.
10-31-2014 10:09 AM
A1: FTP and SIP use a control port (21/tcp) to set up the details of what they're sending. Overloaded NAT doesn't have a problem with this. Once the details have been exchanged, both protocols use random agreed-upon ports for their payloads. This is where overloaded NAT breaks, mostly because the NAT engine has no understanding of how to correctly send the payload traffic to the proper destination.
A2: UPNP is essentially a low-level proxy on consumer-grade routers that allows applications to register the ports that they need directly with the router. This eliminates the need for the NAT engine to guess at the ports being used. Most business-grade routers don't support this because it allows users to forward anything they want to their own machines.
A3: The 887 has inspection features to be able to snoop the FTP and SIP control protocols in order to dynamically permit traffic, but this only exists for well-known protocols. Things like Xbox Live aren't going to be covered by this.
For your application, it sounds like a consumer-grade router fits your requirements better than what you're using.
08-21-2015 01:17 AM
Thanks for the explanation. To be honest, so far I have been using this router for a year and have experienced no NAT issues, The only issue I have recently come accross is the need to set up multicast routing to support IP TV services from my ISP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide