Sockets through NAT

I was wondering if there is any way to connect two computers behind seperate routers (or other NAT devices) without any port forwarding. I was thinking of having the computers each attempt to initiate a connection to fool the router, but I'm not sure how to implement it.
Thanks,
Sam

Yeah, this sounds possible, let's try to work it out.
(1) Client A and client B each set up TCP connections to server C. At this point server C knows the IP address and port needed to talk to each client, which in each case will be the IP address of the respective NAT router and a port address invented by the NAT router, and server C knows the TCP sequence numbers being used by each end.
(2) Server C now sends this information down each connection, ie it tells client A what IP and port it needs to use to talk to client B and vice versa.
(3) The clients now switch to talking to each other rather than talking to server C, and adjust their sequence numbers accordingly.
Someone tell me what's wrong with that? [1]
Of course no TCP stack will let you do this, so you'll have to write your own implementation of TCP (which is seriously non-trivial) which allows this trickery on top of raw sockets, so you won't be able to do it in Java of course.
[1] Ah, here's a potential problem, depending on how they're implemented the NAT routers might spot the trickery and drop the packets as being hacking attempts. So you'd be in for a lot of difficult coding with guarantee of success.

Similar Messages

  • Can't connect to Server through NAT

    Hey all.
    So, I'm trying to connect to my 10.8 server from outside of my network using Server.app.
    On my local subnet, I can connect fine with my normal user.
    From anywhere outside of my local network, all I get is a shake from the login dialog (which is pretty meaningless).
    Since I'm using NAT, I've forwarded 311/TCP and 311/UDP through to the server host.
    When I telnet to my server on 311 I get a connection, so the traffic is getting through NAT (at least the TCP traffic).
    The only indication of a problem I get is a terse log entry on the machine I've attempting to connect from:
       Server: Failed to authenticate to OD
    I'm using the same credentials I use through Server.app when on the local subnet, so something else is happening.
    I do get a certificate warning, which I check off so that I always trust it. I can use the same hostname on my internal and external zones, but the IP resolves back to
    Does OD require some additional configuration for requests from outside the local net?
    Is Server.app just flawed?
    Does this somehow have to do with DNS?
    Any ideas?

    Server app communites over TCP port 687, not 311.
    That being said I wouldn't port forward server administration traffic to your server. A better approach would be to make a VPN connection first and then do whatever task you're trying to do after that.
    Source: http://support.apple.com/kb/TS1629?viewlocale=en_US&locale=en_US

  • Database error #2002 can not connect local mysql server to socket through '/var/run/mysqld/mysqld.sock'(2) on mac os x 10.9.2

    Dear Fellas:
    I received "database error #2002 can not connect local mysql server to socket through '/var/run/mysqld/mysqld.sock'(2)" on mac os x 10.9.2.
    mysql info:
    ps -ef | grep mysql
        0    66     1   0 11:06AM ??         0:00.04 /bin/sh /usr/local/mysql/bin/mysqld_safe --user=mysql
       74   225    66   0 11:06AM ??         0:02.50 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql --log-error=/usr/local/mysql/data/Chuans-MacBook-Pro-2.local.err --pid-file=/usr/local/mysql/data/Chuans-MacBook-Pro-2.local.pid --socket=/var/run/mysqld/mysqld.sock
      501   952   947   0  3:52PM ttys000    0:00.00 grep mysql
    Please help!!

    Fascinated and guessing:
    Something related to sock(2) because that's not part of your copied info. I'm thinking you've doubled up on sockets and the second socket doesn't exist, meaning you should be connecting to the first socket "mysqld.sock" whether automatic or not.
    I've only used GUI tools on purpose, so does this mean you've already got MySQL running and you tried to launch it again manually? Perhaps you already have one instance of a db and you're trying to launch a second instance, and the two can't coexist with a single user local db?
    Assuming this is all local, I'd shut down the db service and restart it, out of hand. I've seen similar messages when I set the db to start up on boot, and it didn't finish shutting down when I tried to restart it manually. Usually the GUI won't let me turn it on because it reports it's already running, but in that case it hadn't finished performing what the GUI was reporting.
    Just speculating.

  • How to manage VM servers in DMZ through NAT proxy?

    Dear all,
    We need to build some VM servers in DMZ network. And the OVM Manager is located in trust zone (behind DMZ). OVM manager can connect to the DMZ vm servers through NAT proxy. But, there are some errors after I have added the servers.
    In fact, there is no management network for OVM manager. So, I seem no workaround.
    Have you any idea about this deployment?
    Mike

    mtktang wrote:
    We need to build some VM servers in DMZ network. And the OVM Manager is located in trust zone (behind DMZ). OVM manager can connect to the DMZ vm servers through NAT proxy. But, there are some errors after I have added the servers. We do not support Oracle VM Server via NAT, because the Servers get the IP address of the Manager to connect to (and not the NAT'd address). So the API python binding download and notifications will fail. It is very unlikely that this would work.

  • Sip passing through nat but rtp is not - no audio

    Sip passing through nat but rtp is not
    I'm looking at traffic leaving my router with a sniffer. I see SIP traffic but I do not see RTP traffic.  The phones ring on both sides but I do not get any audio.
    interface f0/0.100
    ip address 192.168.10.1 255.255.255.0
    ip nat outside
    ip nat pool VoIP 192.168.10.1  192.168.10.1 prefix-length 24
    ip nat inside source route-map VoIP pool VoIP overload
    ip nat inside source static tcp 10.1.1.2 49201 192.168.10.54 49201 extendable
    access-list 1 permit ip host 10.1.1.2 any
    route-map VoIP permit 10
    match ip address 1
    match interface  f0/0.100
    set interface  f0/0.100

    Hello,
    You can enable "ip nat service sip" or "ip nat service h323" and "ip nat
    service h225" commands. As per the documentation, they are enabled by
    default. In the latest IOS there is a new feature added to Cisco IOS that
    ensures that even RTP packets get translated to one of the allowed ports as
    specified by the RFC. The command to enable the feature is "ip nat service
    allow-sip-even-rtp-ports"
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/pro
    d_white_paper0900aecd80597bc7.html
    Hope this helps.
    Regards,
    NT

  • Can IPsec VTI go through NAT ?

    hi
    Just like the subject, does anyone konws if IPsec VTI can go through NAT ?

    Just tested, it works

  • TACACS+ requests through NAT device

    Hi everyone.
    I want to Authenticate and Authorize VTY-Access to Cisco devices using TACACS+. The config is pritty "straight forwasrd", BUT:
    I want to forward the TACACS+ Request through a NAT device and on to the "Internet" where the TACAS+ server is located. (ACS 3.3)
    2 Questions in this situation appeares:
    - Does TACACS+ protocol support request through NAT devices?
    - Is it possible to connect different devices begind the NAT device, using only one Outside NAT IP address? (Using the same secret key for all aaa-clients and on the ACS)
    As you see, i want to connect "as many aaa-clients as possible" to a TACACS+ Server with "as easy = less configuration changes, as possible" .
    I know VPN's are options as well, but it is not prefered in my design.
    Best Regards
    Jarle Steffensen

    As far as I know what you propose will work. You are the only one who knows what the local environment is and what the real requirements are and you must decide whether it is a good idea to do it this way.
    I do not see why passing the TACACS request through a NAT device would impact it, so long as the NAT was static or an overload (PAT). The request needs to get to the TACACS server with a consistent source address. If it was a dynamic NAT and one request came with one source address and the next request came with a different source address, it would only work if the TACACS server was configured with ALL of the possible translated addresses. (and part of your requirement is to simplify the config not to complicate it).
    If there are multiple devices sending requests to TACACS through the NAT device, it would look to the TACACS server as if there were a single remote device with lots of users. If you do not care that the TACACS server can not differentiate the remote devices then your solution should work. Do you want to be able to look at the TACACS reports and see that this successful (or that unsuccessful) attempt came from this machine or that machine? If you do not care then your solution should work. If you do care to differentiate the remote activity then you need a solution like VPN which maintains the individuality of the remote devices.
    HTH
    Rick

  • Cannot connect socket through socks proxy

    Hi,
    I'm having problems connecting a socket through a socks proxy. I'm using the Apache Commons FTPClient, which I understand uses the standard java.net.Socket:
      System.setProperty("socksProxyHost", proxyUrl);
      System.setProperty("socksProxyPort", proxyPort);
      FTPClient ftp = new FTPClient();
      try {
        ftp.connect(url);
        ...When I run this, the whole thing just hangs. However, using a standalone FTP client (SmartFTP) configured with the same settings works fine.
    Analysing the network traffic (using Ethereal) reveals the following:
    Frame 4 off the successful connection (SmartFTP) contains ethernet, IP, TCP and Socks data. The socks data is 9 bytes long and looks perfectly normal.
    Frame 4 of the unsuccessful connection contains the same 4 data segments, but the socks data is only 1 byte long and contains only the socks version number. Ethereal reports this as "Unreassembled Packet (incorrect TCP checksum)".
    Is there anything I'm missing here? I've tried setting the proxy information on the command line when I run the test (java -DsocksProxyHost=proxy -DsocksProxyPort=1080) but that appeared to make no difference.
    Any pointers much appreciated, as I'm really stumped here!
    Thanks

    hi baarney,
    I am not very clear what you mean. Could you tell me more about it because
    I have the same problem. And after connecting for a long time, I received this message "Malformed message from SOCKS server"
    Forgot to add:
    Running on Windows XP
    java version "1.4.2_06"
    Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_06-b03)
    Java HotSpot(TM) Client VM (build 1.4.2_06-b03, mixed mode)Thanks

  • RMI, sockets and NAT

    Apparently a RMI server in a LAN with NAT cannot be seen outside of LAN. Thus, it is possible to manage polling client in LAN and server outside of LAN, but I cannot make bidirectional RMI connection (where server could invoke client's methods, that is), right? Now, is there same kind of a problem with sockets?
    Thanks,
    Yuzaa

    Yuzza,
    There is no problem with sockets, NAT is causing the problem. Happily, there is an easy work-around.
    When you create a remote object, you can specify two additional arguments, an RMIServerSocketFactory, and an RMIClientSocketFactory.
    The RMIClientSocketFactory is an interface which defines one method:
    Socket createSocket(String host, int port);
    Your RMI client gets an object implementing this interface from your server, to connect back to it. Currently your server gives your client a default RMIClientSocketFactory object. This object will let the client connect to the address inside your NAT subnet, this will not work with NAT. That is the problem.
    How can you fix this? Simply implement your own RMIClientSocketFactory, something like this:   class YuzzaCSF implements RMIClientSocketFactory, Serializable {
          final String host;
          YuzzaCSF(String host) { this.host = host; }
          public Socket createSocket(String host, int port) throws IOException {
             return new Socket(this.host, port);
       }Instantiate one using your server's address from outside NAT, and it will force the client to connect correctly.
    This is the core of the solution, there are a few more small steps, but I think you can figure out the rest from here. It would not be as satisfying if I did it all for you :-)
    John

  • Access another host on same subnet through Nat'd IP address

    I appreciate any help in advance, I have a requirement to monitor a host's external IP address, the monitoring host (host A) initiating the request is located in the same DMZ subnet as the destination host (host B) I want to monitor, both are NAT'd to external IP addresses, I was expecting to see a request going out from host A, getting NAT'd to its respective external IP address and then coming back in through the external interface to reach the Nat'd IP address of host B. is this how NAT will be handled by the ASA or am I missing something here? thanks again.

    Borman,
    Its more complicated than that, consider the following scenario:
                                20.20.20.0/24
                   ASA------------------------------Internet
                      | (DMZ)
                 Switch
         Host A          Host B
       10.1.1.10      10.1.1.100
                          20.20.20.20 (Nat outside address)
    Basically you want to monitor your host B using its public IP address, normally your NAT configuration (in case of version 8.2 and prior) would be something like this:
    nat (DMZ,outside) 20.20.20.20 10.1.1.100
    nat (DMZ) 1 0.0.0.0 0.0.0.0
    global (outside) 1 interface
    When going from Host A to host B, two translations should occur, first is the Unstranslate from 20.20.20.20 to 10.1.1.100 (By internal process of the ASA), then once it is unstranslated, the route-lookup comes in game. Firewall notices that is on the same interface as the source of the packet so we reach our first impass. The ASA does not support same security traffic by default. So we overcome this issue with the following command:
    same-security-traffic permit intra-interface
    Now that is done, so we move to the next packet process, the ASA tries to check if there is any NAT translation for a packet coming from the DMZ and going to the same DMZ. As you can see there is a "nat (DMZ) 1 0.0.0.0 0.0.0.0", that tells the firewall that everything coming from the DMZ should be translated, we hit that NAT and since the outgoing interface is the same as the source interface (DMZ) there is no global command, hence you will see an error that states, No translation group found. Here is how we overcome that issue
    Global (DMZ) 1 interface
    This will translate requests from the DMZ interface going to that same interface to the DMZ IP address, on the server 10.1.1.100, the connection will be seeing as it came from the firewall, the packets will be sent to the firewall again, hence avoiding asymmetric routing.
    If running version 8.3 or higher, the concept is the same, but the commands change a bit.
    8.3
    same-security-traffic permit intra-interface
    object network Server_Public
    host 20.20.20.20
    object network Server_Private
    host 10.1.1.100
    object network Any
    subnet 0.0.0.0 0.0.0.0
    Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
    So bottom line, configuration needed on 8.2
    global (outside) 1 interface
    same-security-traffic permit intra-interface
    Configuration for 8.3
    same-security-traffic permit intra-interface
    object network Server_Public
    host 20.20.20.20
    object network Server_Private
    host 10.1.1.100
    object network Any
    subnet 0.0.0.0 0.0.0.0
    Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
    Hope this helps a bit.
    Mike

  • IM System File Transfer through NAT

    Hi, i have operational IM system with server and client and i want to implement file transfer. Not that it was any difficult but i want to make it server independent to relieve it.
    What i want to is establish direct connection between transferring clients. The problem is, how to deal with guys behind NAT.
    I have seen many topics here and on other forums dealing with it but they were direct questions in advanced development of this issue and i want to ask if there is any way to do it without reconfiguring the client routers (some of them behind IPS's Gateway and owning own wifi router) or not. I would like to know your ideas or experiences on this matter how start with this or where to look for it. I certainly dont want to do some ip tunnelling through RMI or similar.
    Regards ~

    When connecting possibly NATed peers, there are three main scenarious:
    * All peers have a public IP, no NAT anywhere: Easy, simply connect
    * At least on peer has a public IP, no NAT, some or all other peers are NATed/don't have public IP: public peer acts as a server of kind/hub
    * Everyone is NATed: not it's getting very, very tricky.
    Especially for the third kind you will need to implement several different techniques.
    Keywords to google for are UPNP (to reconfigure the router for port forwarding) and NAT piercing (fooling both routers to think it's an outgoing connection).
    Good luck.

  • Getting NI MAX (Measurement Automation Explorer) to work through NAT

    All,
    I've been having no end of grief trying to connect NI MAX to my remote cDAQ 9134 (Linux RT) through a cellular gateway (firewall/NAT). I currently have all the ports I think are even slightly MAX related forwarded to the IP of the cDAQ. The IP address assigned to the cellular gateway is part of my corporate network, i.e. this is not a remote private IP but instead an IP on my WAN. 
    Currently the following ports are forwarded:
    80
    52725
    3580
    20-22
    53
    48080
    The web UI function works across this arrangement, as does SSH - but not MAX.
    NI MAX will find the device at first, but then it transitions from connecting to a red-X icon... but not before discovering the serial number and a few other parameters (not all).
    I need this to work so I can remotely deploy new software modules to the cDAQ 9134.
    Has anyone accomplished something similar in the past? Am I possibly missing a port?
    Thanks and Regards,
    Jeff
    Attachments:
    2015-03-19_08h56_22.png ‏20 KB

    Hello Jeff,
    As long as you have unblocked all of the ports pertaining to NI MAX in this White Paper:
    http://www.ni.com/white-paper/12402/en/
    you shouldn't have missed anything. Is there any way to connect it locally, or does it have to be over the network?
    Siana A.
    Application Engineering
    National Instruments

  • Solution to UDP Through Nats/Firewalls

    Hello to All,
    I am currently developing software that entails the need to have live voice transmission to several clients. All of the audio comes into the server and is redirected out to the appropriate clients. I'm sure that by now many of you are aware of the issues inherent in using JMF, or more specifically UDP, across the internet : NAT routers don't deal with UDP packets very well and the clients behind them tend not to receive them. For my application I can't expect every client that is behind a NAT router to set up port forwarding to their machine; these are people who don't know how to unzip a file. Simplicity is of vital importance especially when trying to reduce the need for support calls.
    After reading up on the different kinds of NAT' s and how they respond to incoming UDP packets I discovered a way that works. To start with the server needs to be publicly acessible, or it must appear to be. If the server is behind a NAT then port forwarding must be set up (no big deal). Let us say that the server is sending out audio on port S1 with control port S2 and the client wishes to receive the audio on port C1 with control port C2. The client, upon logging in, must send a UDP packet from local port C1 to server port S1 and from local port C2 to server port S2.
    The server must accept these handshaking UDP packets and store the address and port that they come from. The client ports might not be C1 and C2 by the time they reach the server because the NAT router may have changed them. Indeed, they may not even be consecutive ports by the time they reach the server, it's all dependant on how the client's NAT chooses to map them.
    The server, by examing the initial handshake, knows exactly where to send the RTP data for that client. Now when RTP data reaches the clients network it will be properly forwarded to the client since the network has already sent out a packet from those ports to those locations and thus a mapping has been established. If the clients ports are not consecutive ports by the time they are mapped and reach the server then the SessionAddress which typically sends out data on the port provided and the next consecutive one, does have a constructor where you can specify both the data and control port to be specific, non-consecutive ports.
    By sending this initial handshake any NAT, even the most restricitve symmetric NAT, will now correctly foward any incoming UDP packets from server ports S1 and S2 from the same server as long as they are coming in to the client ports that initially sent out the handshake. One thing to keep in mind however is that the mappings aren't permanent, in fact they are very short lived (I learned the hard way after about 1 week of debugging). The way that I had my program setup before was that I had all of the UDP handshaking upon a client's connection, often minutes before the actual UDP audio transmission from the server would begin. This would cause many of the mappings to be lost since it had been minutes after the mapping had been established with no data coming through. I had to fix this by not implementing the handshake with the clients until right before the UDP audio transmission had begun in order to ensure fresh, working mappings for the beginning of the transmission.
    Now you may be wondering how the server can be listening for handshakes on the same port that it is supposed to be sending out audio on. Well in my case no audio is transmitted until all of the expected clients have connected. If this was not desirable, if one wanted to allow clients to join after RTP data has already started transmitting then the handshake would need to be accepted on a different port than the one's that are transmitting RTP data. The tradeoff associated with this, however, is that clients that are behind symettric NAT's won't be able to receive audio, since the handshake must go to the exact server port that they wish to receive RTP data from; all of the other kinds of NAT's will allow this however.
    The way I handle somebody who shows up late, after UDP audio transmission has already begun, is I stop the audio transmission for everybody, shake hands with the new client on the audio ports and then re-initialize the audio transmission. This is not ideal as there is now a break in the audio streaming everytime somebody shows up late. I'm wondering how other programs, like Scype, accomplish such seamless audio integration with UDP; the only way I can get consistency across networks is to implement these obscure workarounds that incur breaks in transmission when a new client joins and wishes to receive a UDP stream that has already started.
    I know this post is long but I would have loved to have access to some of this information a couple of months ago; a lot of it was learned through painful trial and error so hopefully it's useful to someone. I'd love to have some input on ways to make things better or more reliable: particularily the aspect of clients showing up late and having the server temporarily stop the audio in order to establish a secure mapping towards the new client. On the bright side using the methods described above I can get consistent UDP audio transmission to and from all kinds of networks, including the most restrictive symettric NAT's that I have tested so far. Any questions/comment/ideas are welcome.

    I was bored with you long overview of the issue. I suggest using TCP, as it is Internet native, is reliable, and is easier to secure through foreign NATs.
    As a Design BluePrint for Building Network Applications: Never use port-locked Internet applications, as you cannot control the Internet. If needed, use VPN with L4 tunneling.
    You are really working harder then you need to - even with the UDP implementation. Just have the client use dynamic ports, really that shouldn't cause you any problem on the link and NATs will be more likely to allow i/o traffic.
    Your server should be publically available (a DMZ host, or port-forwarded) on the Internet.
    A web server uses port 80, and many clients connect to it using a random open port on their local machine and the server machine. It almost always works without issue. Why do you need lock in to specific ports? Besides that, why use UDP when running a critical QoS app such as Multicast VoIP?

  • CAPWAP tunnel through NAT interface

    I'm not sure if anyone has tried this but are there any complications with connecting a lightweight AP through a NAT'd interface back to the WLC?  I know I'll have to open 5246 and 5247, but are there any other issues that I should be aware of?

    We have a neighboring hospital where some of our docs want to set up a clinic using their iPads back to our network.  Right now, we have a NAT'd interface from their network to ours and I haven't been able to test setting up an AP through a NAT interface.  I forgot about Office Extends and now remember from your Twitter updates from CL11.  I'll probably go that route.  Are there any issues that may come up from using Office Extends?

  • Sockets through proxy servers

    im facing a problem.in which I am having,one java application that is sitting behind Proxy1 has to access the Webserver which is sitting behind proxy2,for transfering files. from one M/C tht sitting behind Proxy 1 to the webserver sitting behind proxy 2.
    using URLConnection i will be able to do this,but as per my requirement i may have to transfer files which may be more than 100 MB,in that case URLConnection is failing because of OutofMemmory Error,
    the only way to cater this requirement is socket but i don't know hw i can go through proxy using java sockets......
    ---------------------------Proxy1------ Proxy2
    -------------------------- --|----------------|
    Java Application -------| <----->------|----- My WebServer
    -----------------------------|-- internet---|
    ---------------------------- |----------------|
    Thnx in advance,

    Thnx tolmank,
    i am using sockets instead of URLConnection,i was able to connect using URLConnection,but when i use sockets i am not able to,i cann't use URLConnection because of out of memmory problem,as i mentioned earlier .
    if anybody can me help me out it would have been a great help for me...
    thnx in advance......
    shafeek

Maybe you are looking for