Solution to UDP Through Nats/Firewalls

Hello to All,
I am currently developing software that entails the need to have live voice transmission to several clients. All of the audio comes into the server and is redirected out to the appropriate clients. I'm sure that by now many of you are aware of the issues inherent in using JMF, or more specifically UDP, across the internet : NAT routers don't deal with UDP packets very well and the clients behind them tend not to receive them. For my application I can't expect every client that is behind a NAT router to set up port forwarding to their machine; these are people who don't know how to unzip a file. Simplicity is of vital importance especially when trying to reduce the need for support calls.
After reading up on the different kinds of NAT' s and how they respond to incoming UDP packets I discovered a way that works. To start with the server needs to be publicly acessible, or it must appear to be. If the server is behind a NAT then port forwarding must be set up (no big deal). Let us say that the server is sending out audio on port S1 with control port S2 and the client wishes to receive the audio on port C1 with control port C2. The client, upon logging in, must send a UDP packet from local port C1 to server port S1 and from local port C2 to server port S2.
The server must accept these handshaking UDP packets and store the address and port that they come from. The client ports might not be C1 and C2 by the time they reach the server because the NAT router may have changed them. Indeed, they may not even be consecutive ports by the time they reach the server, it's all dependant on how the client's NAT chooses to map them.
The server, by examing the initial handshake, knows exactly where to send the RTP data for that client. Now when RTP data reaches the clients network it will be properly forwarded to the client since the network has already sent out a packet from those ports to those locations and thus a mapping has been established. If the clients ports are not consecutive ports by the time they are mapped and reach the server then the SessionAddress which typically sends out data on the port provided and the next consecutive one, does have a constructor where you can specify both the data and control port to be specific, non-consecutive ports.
By sending this initial handshake any NAT, even the most restricitve symmetric NAT, will now correctly foward any incoming UDP packets from server ports S1 and S2 from the same server as long as they are coming in to the client ports that initially sent out the handshake. One thing to keep in mind however is that the mappings aren't permanent, in fact they are very short lived (I learned the hard way after about 1 week of debugging). The way that I had my program setup before was that I had all of the UDP handshaking upon a client's connection, often minutes before the actual UDP audio transmission from the server would begin. This would cause many of the mappings to be lost since it had been minutes after the mapping had been established with no data coming through. I had to fix this by not implementing the handshake with the clients until right before the UDP audio transmission had begun in order to ensure fresh, working mappings for the beginning of the transmission.
Now you may be wondering how the server can be listening for handshakes on the same port that it is supposed to be sending out audio on. Well in my case no audio is transmitted until all of the expected clients have connected. If this was not desirable, if one wanted to allow clients to join after RTP data has already started transmitting then the handshake would need to be accepted on a different port than the one's that are transmitting RTP data. The tradeoff associated with this, however, is that clients that are behind symettric NAT's won't be able to receive audio, since the handshake must go to the exact server port that they wish to receive RTP data from; all of the other kinds of NAT's will allow this however.
The way I handle somebody who shows up late, after UDP audio transmission has already begun, is I stop the audio transmission for everybody, shake hands with the new client on the audio ports and then re-initialize the audio transmission. This is not ideal as there is now a break in the audio streaming everytime somebody shows up late. I'm wondering how other programs, like Scype, accomplish such seamless audio integration with UDP; the only way I can get consistency across networks is to implement these obscure workarounds that incur breaks in transmission when a new client joins and wishes to receive a UDP stream that has already started.
I know this post is long but I would have loved to have access to some of this information a couple of months ago; a lot of it was learned through painful trial and error so hopefully it's useful to someone. I'd love to have some input on ways to make things better or more reliable: particularily the aspect of clients showing up late and having the server temporarily stop the audio in order to establish a secure mapping towards the new client. On the bright side using the methods described above I can get consistent UDP audio transmission to and from all kinds of networks, including the most restrictive symettric NAT's that I have tested so far. Any questions/comment/ideas are welcome.

I was bored with you long overview of the issue. I suggest using TCP, as it is Internet native, is reliable, and is easier to secure through foreign NATs.
As a Design BluePrint for Building Network Applications: Never use port-locked Internet applications, as you cannot control the Internet. If needed, use VPN with L4 tunneling.
You are really working harder then you need to - even with the UDP implementation. Just have the client use dynamic ports, really that shouldn't cause you any problem on the link and NATs will be more likely to allow i/o traffic.
Your server should be publically available (a DMZ host, or port-forwarded) on the Internet.
A web server uses port 80, and many clients connect to it using a random open port on their local machine and the server machine. It almost always works without issue. Why do you need lock in to specific ports? Besides that, why use UDP when running a critical QoS app such as Multicast VoIP?

Similar Messages

  • Can't connect to Server through NAT

    Hey all.
    So, I'm trying to connect to my 10.8 server from outside of my network using Server.app.
    On my local subnet, I can connect fine with my normal user.
    From anywhere outside of my local network, all I get is a shake from the login dialog (which is pretty meaningless).
    Since I'm using NAT, I've forwarded 311/TCP and 311/UDP through to the server host.
    When I telnet to my server on 311 I get a connection, so the traffic is getting through NAT (at least the TCP traffic).
    The only indication of a problem I get is a terse log entry on the machine I've attempting to connect from:
       Server: Failed to authenticate to OD
    I'm using the same credentials I use through Server.app when on the local subnet, so something else is happening.
    I do get a certificate warning, which I check off so that I always trust it. I can use the same hostname on my internal and external zones, but the IP resolves back to
    Does OD require some additional configuration for requests from outside the local net?
    Is Server.app just flawed?
    Does this somehow have to do with DNS?
    Any ideas?

    Server app communites over TCP port 687, not 311.
    That being said I wouldn't port forward server administration traffic to your server. A better approach would be to make a VPN connection first and then do whatever task you're trying to do after that.
    Source: http://support.apple.com/kb/TS1629?viewlocale=en_US&locale=en_US

  • TACACS+ requests through NAT device

    Hi everyone.
    I want to Authenticate and Authorize VTY-Access to Cisco devices using TACACS+. The config is pritty "straight forwasrd", BUT:
    I want to forward the TACACS+ Request through a NAT device and on to the "Internet" where the TACAS+ server is located. (ACS 3.3)
    2 Questions in this situation appeares:
    - Does TACACS+ protocol support request through NAT devices?
    - Is it possible to connect different devices begind the NAT device, using only one Outside NAT IP address? (Using the same secret key for all aaa-clients and on the ACS)
    As you see, i want to connect "as many aaa-clients as possible" to a TACACS+ Server with "as easy = less configuration changes, as possible" .
    I know VPN's are options as well, but it is not prefered in my design.
    Best Regards
    Jarle Steffensen

    As far as I know what you propose will work. You are the only one who knows what the local environment is and what the real requirements are and you must decide whether it is a good idea to do it this way.
    I do not see why passing the TACACS request through a NAT device would impact it, so long as the NAT was static or an overload (PAT). The request needs to get to the TACACS server with a consistent source address. If it was a dynamic NAT and one request came with one source address and the next request came with a different source address, it would only work if the TACACS server was configured with ALL of the possible translated addresses. (and part of your requirement is to simplify the config not to complicate it).
    If there are multiple devices sending requests to TACACS through the NAT device, it would look to the TACACS server as if there were a single remote device with lots of users. If you do not care that the TACACS server can not differentiate the remote devices then your solution should work. Do you want to be able to look at the TACACS reports and see that this successful (or that unsuccessful) attempt came from this machine or that machine? If you do not care then your solution should work. If you do care to differentiate the remote activity then you need a solution like VPN which maintains the individuality of the remote devices.
    HTH
    Rick

  • How to manage VM servers in DMZ through NAT proxy?

    Dear all,
    We need to build some VM servers in DMZ network. And the OVM Manager is located in trust zone (behind DMZ). OVM manager can connect to the DMZ vm servers through NAT proxy. But, there are some errors after I have added the servers.
    In fact, there is no management network for OVM manager. So, I seem no workaround.
    Have you any idea about this deployment?
    Mike

    mtktang wrote:
    We need to build some VM servers in DMZ network. And the OVM Manager is located in trust zone (behind DMZ). OVM manager can connect to the DMZ vm servers through NAT proxy. But, there are some errors after I have added the servers. We do not support Oracle VM Server via NAT, because the Servers get the IP address of the Manager to connect to (and not the NAT'd address). So the API python binding download and notifications will fail. It is very unlikely that this would work.

  • Sip passing through nat but rtp is not - no audio

    Sip passing through nat but rtp is not
    I'm looking at traffic leaving my router with a sniffer. I see SIP traffic but I do not see RTP traffic.  The phones ring on both sides but I do not get any audio.
    interface f0/0.100
    ip address 192.168.10.1 255.255.255.0
    ip nat outside
    ip nat pool VoIP 192.168.10.1  192.168.10.1 prefix-length 24
    ip nat inside source route-map VoIP pool VoIP overload
    ip nat inside source static tcp 10.1.1.2 49201 192.168.10.54 49201 extendable
    access-list 1 permit ip host 10.1.1.2 any
    route-map VoIP permit 10
    match ip address 1
    match interface  f0/0.100
    set interface  f0/0.100

    Hello,
    You can enable "ip nat service sip" or "ip nat service h323" and "ip nat
    service h225" commands. As per the documentation, they are enabled by
    default. In the latest IOS there is a new feature added to Cisco IOS that
    ensures that even RTP packets get translated to one of the allowed ports as
    specified by the RFC. The command to enable the feature is "ip nat service
    allow-sip-even-rtp-ports"
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/pro
    d_white_paper0900aecd80597bc7.html
    Hope this helps.
    Regards,
    NT

  • Can IPsec VTI go through NAT ?

    hi
    Just like the subject, does anyone konws if IPsec VTI can go through NAT ?

    Just tested, it works

  • Access another host on same subnet through Nat'd IP address

    I appreciate any help in advance, I have a requirement to monitor a host's external IP address, the monitoring host (host A) initiating the request is located in the same DMZ subnet as the destination host (host B) I want to monitor, both are NAT'd to external IP addresses, I was expecting to see a request going out from host A, getting NAT'd to its respective external IP address and then coming back in through the external interface to reach the Nat'd IP address of host B. is this how NAT will be handled by the ASA or am I missing something here? thanks again.

    Borman,
    Its more complicated than that, consider the following scenario:
                                20.20.20.0/24
                   ASA------------------------------Internet
                      | (DMZ)
                 Switch
         Host A          Host B
       10.1.1.10      10.1.1.100
                          20.20.20.20 (Nat outside address)
    Basically you want to monitor your host B using its public IP address, normally your NAT configuration (in case of version 8.2 and prior) would be something like this:
    nat (DMZ,outside) 20.20.20.20 10.1.1.100
    nat (DMZ) 1 0.0.0.0 0.0.0.0
    global (outside) 1 interface
    When going from Host A to host B, two translations should occur, first is the Unstranslate from 20.20.20.20 to 10.1.1.100 (By internal process of the ASA), then once it is unstranslated, the route-lookup comes in game. Firewall notices that is on the same interface as the source of the packet so we reach our first impass. The ASA does not support same security traffic by default. So we overcome this issue with the following command:
    same-security-traffic permit intra-interface
    Now that is done, so we move to the next packet process, the ASA tries to check if there is any NAT translation for a packet coming from the DMZ and going to the same DMZ. As you can see there is a "nat (DMZ) 1 0.0.0.0 0.0.0.0", that tells the firewall that everything coming from the DMZ should be translated, we hit that NAT and since the outgoing interface is the same as the source interface (DMZ) there is no global command, hence you will see an error that states, No translation group found. Here is how we overcome that issue
    Global (DMZ) 1 interface
    This will translate requests from the DMZ interface going to that same interface to the DMZ IP address, on the server 10.1.1.100, the connection will be seeing as it came from the firewall, the packets will be sent to the firewall again, hence avoiding asymmetric routing.
    If running version 8.3 or higher, the concept is the same, but the commands change a bit.
    8.3
    same-security-traffic permit intra-interface
    object network Server_Public
    host 20.20.20.20
    object network Server_Private
    host 10.1.1.100
    object network Any
    subnet 0.0.0.0 0.0.0.0
    Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
    So bottom line, configuration needed on 8.2
    global (outside) 1 interface
    same-security-traffic permit intra-interface
    Configuration for 8.3
    same-security-traffic permit intra-interface
    object network Server_Public
    host 20.20.20.20
    object network Server_Private
    host 10.1.1.100
    object network Any
    subnet 0.0.0.0 0.0.0.0
    Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
    Hope this helps a bit.
    Mike

  • IM System File Transfer through NAT

    Hi, i have operational IM system with server and client and i want to implement file transfer. Not that it was any difficult but i want to make it server independent to relieve it.
    What i want to is establish direct connection between transferring clients. The problem is, how to deal with guys behind NAT.
    I have seen many topics here and on other forums dealing with it but they were direct questions in advanced development of this issue and i want to ask if there is any way to do it without reconfiguring the client routers (some of them behind IPS's Gateway and owning own wifi router) or not. I would like to know your ideas or experiences on this matter how start with this or where to look for it. I certainly dont want to do some ip tunnelling through RMI or similar.
    Regards ~

    When connecting possibly NATed peers, there are three main scenarious:
    * All peers have a public IP, no NAT anywhere: Easy, simply connect
    * At least on peer has a public IP, no NAT, some or all other peers are NATed/don't have public IP: public peer acts as a server of kind/hub
    * Everyone is NATed: not it's getting very, very tricky.
    Especially for the third kind you will need to implement several different techniques.
    Keywords to google for are UPNP (to reconfigure the router for port forwarding) and NAT piercing (fooling both routers to think it's an outgoing connection).
    Good luck.

  • Getting NI MAX (Measurement Automation Explorer) to work through NAT

    All,
    I've been having no end of grief trying to connect NI MAX to my remote cDAQ 9134 (Linux RT) through a cellular gateway (firewall/NAT). I currently have all the ports I think are even slightly MAX related forwarded to the IP of the cDAQ. The IP address assigned to the cellular gateway is part of my corporate network, i.e. this is not a remote private IP but instead an IP on my WAN. 
    Currently the following ports are forwarded:
    80
    52725
    3580
    20-22
    53
    48080
    The web UI function works across this arrangement, as does SSH - but not MAX.
    NI MAX will find the device at first, but then it transitions from connecting to a red-X icon... but not before discovering the serial number and a few other parameters (not all).
    I need this to work so I can remotely deploy new software modules to the cDAQ 9134.
    Has anyone accomplished something similar in the past? Am I possibly missing a port?
    Thanks and Regards,
    Jeff
    Attachments:
    2015-03-19_08h56_22.png ‏20 KB

    Hello Jeff,
    As long as you have unblocked all of the ports pertaining to NI MAX in this White Paper:
    http://www.ni.com/white-paper/12402/en/
    you shouldn't have missed anything. Is there any way to connect it locally, or does it have to be over the network?
    Siana A.
    Application Engineering
    National Instruments

  • CAPWAP tunnel through NAT interface

    I'm not sure if anyone has tried this but are there any complications with connecting a lightweight AP through a NAT'd interface back to the WLC?  I know I'll have to open 5246 and 5247, but are there any other issues that I should be aware of?

    We have a neighboring hospital where some of our docs want to set up a clinic using their iPads back to our network.  Right now, we have a NAT'd interface from their network to ours and I haven't been able to test setting up an AP through a NAT interface.  I forgot about Office Extends and now remember from your Twitter updates from CL11.  I'll probably go that route.  Are there any issues that may come up from using Office Extends?

  • Preserve Source Port through NAT

    Hi All,
    We are having problems with some of our NAT translations. We need to router to preserve the source port of the outbound connection, but instead it is generating a random source port for each translation (highlighted in bold):
    udp  217.x.x.x:17127  192.168.55.71:8061    84.x.x.x:8060     84.x.x.x:8060
    I believe the port-randomisation feature was brought in with IOS 12.4, but I don't think I can disable this feature on the IOS I am using. Is there any way I can create a static translation which preserves the source port? Any help would be greatly appreciated.
    Plaform: cisco ASR1002
    IOS: 15.4(3)S2

    These are for phones on the internal network, they will be contacting a remote server, and each phone has been configured to use a unique source port for the outbound connection. This allows the server to identify each individual phone when the connection comes in (it also means that no two phones should be using the same source port, so PAT should have no need to alter these).
    The translation you mentioned would appear to create a static inbound translation, forcing all inbound connections on 8061 to the same port on an internal host, I'm trying to achieve the opposite, forcing a the outbound connections source port to not be altered. 

  • ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect

    We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.
    Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.
    When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.
    Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)
    Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.
    An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)
    Any help to qwell my frustration on this topic would be appreciated.
    Thanks,
    -Scott

    Scott,
    If disabling the inspection of the skinny protocol is not feasible, the following
    configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:
    In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.
    #Define what traffic you want inspected:
    access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6
    access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3
    access-list skinny_acl extended permit tcp any any eq 2000
    #Create a class map to match the acl
    class-map skinny_map
    match access-list skinny_acl
    #Under the global policy, take the skinny inspection out of the
    #class inspection_default, and add it under our new class
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    class skinny_map
    inspect skinny
    service-policy global_policy global
    ###Will be inspected for skinny###
    FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000
    Global policy:
    Service-policy: global_policy
    Class-map: skinny_map
    Match: access-list skinny_acl
    Access rule: permit tcp any any eq 2000
    Action:
    Input flow: inspect skinny
    FWSM(config-pmap-c)#
    ###Will not be inspected for skinny###
    FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000
    Global policy:
    Service-policy: global_policy
    FWSM(config-pmap-c)#
    Regards,
    ~JG
    Please rate if helps !

  • Remote debugging through NAT - VS2013, C#

    I need help figuring out how to initiate a remote debugging session when the target computer is across the internet and behind NAT. VS2013 and a C# application, .net 4.5
    Remote debugging works great here on my LAN, but now I need to connect to a remote stand alone (not on a domain) PC that is behind NAT; it's WAN IP is different from its LAN IP.  My development PC is also behind NAT.  I do not have access to the
    remote firewall/router to configure port forwarding.  Is there any other way I can connect?  Are there any tools that will allow me to connect directly to the remote PC with the remote debugger, similar to how TeamViewer can connect to PC's even
    though they're behind NAT? 

    Hi Matt_FL,
    Like this document here:
    http://www.codeproject.com/Tips/618804/Remote-debugging-for-Visual-Studio-from-different
    It shared us the detailed steps about how we setup the remote debugging if the Environments are not in the same domain.
    So I'm afraid that we would check whether the Environments meet the requirements of remote debugging.
    Reference:
    https://msdn.microsoft.com/en-us/library/vstudio/bt727f1t%28v=vs.100%29.aspx?f=255&MSPPError=-2147217396#bkmk_setuptheremotecomputer
    If the remote computer is protected by a firewall, you must configure the firewall to allow the Remote Debugging Monitor to communicate with the Visual Studio host computer.
    If your network requires that communication be performed using IPSec, you must open additional ports in the firewall.
    If you are debugging a process on a web server, you must open an additional port.
    Other threads I met before:
    https://social.msdn.microsoft.com/Forums/vstudio/en-US/0058a97a-8595-4235-88b1-7575aed2e2de/remote-debug-issuevisual-studio-remote-computer-can-not-back-connect-to-remote-computera-firewall?forum=vsdebug
    https://social.msdn.microsoft.com/Forums/vstudio/en-US/897782e5-dada-4df1-8ef2-f119cdce7e5e/remote-debugging-over-internetMaybe
    you could refer to them, hope it could provide useful information.
    But as far as I know, we could remote debugging with WAN even if it has some specific requirements.
    Reference:
    http://stackoverflow.com/questions/5091207/net-remote-debugging-domain-networking-issues
    If I have misunderstood this issue, please feel free to let me know.
    Best Regards,
    Jack
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Server Access through NAT'd Firewall

    Hi,
    I have a 7.3 client accessing a server on the same LAN segment with no problems. I am trying a to add a second client that is on the other side of a NAT firewall. This client has full access to the server, but it is accessed with a different IP address.
    Is there a way to complete this?
    Thanks

    Thanks for the replies. I checked out 10gR2 today and it seems like, as you both say, that the best way of doing it (if not the only way) is to install the agent onto the remote servers using the tools provided. Doesn't seem as if there's a way of discovering nodes running 9i or lower agents.
    Cheers,
    Marcus.

  • Provider to APNS connectivity through NAT?

    Hi,
    I have my servers generating push notifications in DMZ (private IP space).
    Has anyone tried to use NAT to connect "provider" host to APNS?
    Are there any problems establishing TLS connections to APNS?
    Thanks

    Thanks for the replies. I checked out 10gR2 today and it seems like, as you both say, that the best way of doing it (if not the only way) is to install the agent onto the remote servers using the tools provided. Doesn't seem as if there's a way of discovering nodes running 9i or lower agents.
    Cheers,
    Marcus.

Maybe you are looking for