Configure a Vega behind a NAT
The following describes how to setup a Vega gateway for use in a NAT'ed environment through internally configured port translation using both a router and the Vega.
How does a NAT operate
NAT (Network Address Translation) is a facility that allows multiple devices (PCs, servers, Smart Phones, tablets, gateways etc) that require access to the Internet but only need a single WAN IP address and route to the public Internet.
A Basic NAT will perform an IP address translation so that when a Private network device, such as a PC attempts to access devices or services across the public internet, the access appears to have come from a public IP address. This is necessary because public Internet routing devices cannot route to private network IP addresses, only public IP addresses can be routed to.
The following diagram shows a device (eg PC) with a private IP address aaa.bbb.ccc.ddd making an access through the NAT router. The NAT router logs the source IP address of the outbound IP packet then changes the Return IP address to its own registered public IP address.
When a response is made to the NAT router, it looks up the IP address it stored earlier, and routes the response to the appropriate private address.
This form of NAT translation is limited in that only 1 private device at a time can have access to the public internet, if multiple internal devices were to try to get access then replies may get forwarded to the wrong destination.
A common extension of NAT translation is to translate the local IP address and port combination into a public IP address / port combination. This translation, though generically still referred to as NAT is more properly known as PAT (Port Address Translation). In this scenario the PAT router receives a
request from a private IP device and it converts the IP address and the IP port number, making sure that the outgoing (public) IP address, IP port number combination is unique. When a reply is sent to this unique IP address and IP port combination the PAT router is then able to look up the correct
device (private IP address and port) to send it to.
This means that simultaneous accesses from multiple private IP devices may be made through the PAT router, as it is able to keep a table indexed by outgoing port number to keep return IP address and port number information.
In order to handle unsolicited data packets arriving on the public side of the PAT router (e.g. return leg of RTP VoIP calls), the NAT/PAT router must be configured with static entries (Port Forwarding) in the table, identifying where to send IP packets if they arrive on specific IP address / port numbers.
Problems of VoIP protocols
Although NAT/PAT routers translate the Return IP address and port and route the packets appropriately, unfortunately both SIP and H.323 protocols send IP addresses and port numbers within the protocol, to for example, tell the far end where to send the media and signalling information. Standard NAT/PAT routers, those that are not VoIP aware, can only modify the VoIP header and so pass these values through without change. When the far end device tries to send, for example, some media packets it will try to send them to the private IP address that will not be known, and will not be route-able within the Public Internet.
Possible Soution - VoIP aware NAT/PAT routers / firewalls solve the NAT problem
There are a number of NAT/PAT routers / firewalls that are VoIP aware. These will not only translate the IP address and port information in the IP headers, but also have enough knowledge of the VoIP protocols to be able to look at the contents of the various messages and apply IP address and port number translation to these where required. Where the Vega is situated behind a VoIP aware NAT/PAT router / firewall, the Vega needs no special configuration to operate correctly.
Possible Solution - VPN traversal of NAT solves the NAT problem
VPN tunnels can be created by some firewalls between specific points in a Network. These VPN tunnels, although communicating from private address ranges across the public IP network to destination private IP address ranges hide that traversal from the IP endpoints in the private IP network. Endpoints on different sites can ?see? the far end network as part of its own network. Where the Vega is communicating across a VPN, the Vega needs no special configuration to operate correctly.
Possible Solution - Session Border Controller traversal of NAT solves the NAT problem
A SBC (Session Border Controller) is a device that has a public IP address and is used to proxy VoIP communications. Because it has a public IP address it sees the messaging coming from the outside IP address of the NAT device through which the Vega is communicating. This allows it to intelligently correct private IP addresses presented in the VoIP messaging with the public IP address of the NAT device. Where a SBC is used in conjunction with the Vega, the Vega needs no special configuration to operate correctly.
Procedure to Configure the Vega to work with NAT/PAT devices that are not VoIP aware
Local versus public
The first thing that the Vega needs to know is which IP addresses are on the local network (on the private side of the NAT/PAT device, the same side as the Vega itself), and which IP addresses are on the far side of the NAT/PAT device. When communicating with devices on the local Network the Vega will not need to apply any special handling to the IP messages, but when communicating with those on the far side of the NAT/PAT, the Vega will have to apply the IP address and port translation.
IP port ranges and mappings
The second configuration required is to identify which UDP/IP port ranges and which TCP/IP port ranges are to be used by the Vega and what corresponding port ranges will be used when these are translated by the NAT/PAT device.
For instance, if there are two Vegas within the private network, both trying to communicate through the same NAT/PAT device, non-intersecting ranges of translated values will be used so that the NAT/PAT device will be able to uniquely identify which Vega to send which data streams to, based on the incoming port number.
Enable NAT/PAT handling
By default the Vega has NAT/PAT handling disabled. If NAT/PAT handling is required it must be enabled.
Configuring a Vega and NAT/PAT device
For example, assuming a Vega and NAT/PAT configuration as follows:
Note No special NAT/PAT translations need to be set up in the Vega for Telnet, tftp, ftp, SNMP, or Radius)
Configuring the NAT/PAT router
In the NAT/PAT device static translations must be set up
Note The IP Address 64.120.7.3 is an example Public IP address for the NAT Router.
Detailed Vega configuration (by Web Browser Interface)
Local versus public
To identify which IP addresses are local IP addresses to the Vega, and which IP addresses are only accessible via the NAT/PAT, in the Vega parameters specify the subnets which are local to the Vega. IP addresses not in this list will be treated as only accessible via the NAT/PAT.
Step 1 Navigate to Expert Config>LAN/WAN. From the LAN management web page the select the "Private Networks" link as show below.
Note the LAN management page will not fit on one web page, the Private Subnets config section will require scrolling to a lower part of the web page
Step 2 With the Private Subnets web page loaded Select "Modify" in the "Private Subnets" section:
Name = textual name for Subnet naming only
IP:- base_ip_address_of_local_subnet_1,
Subnet:- subnet_mask_of_local_subnet_1
Example table configuration
Name:- "GATEWAY_LAN_SUBNET"
IP:- "192.168.0.1"
Subnet:- "255.255.255.0"
If more than one Subnet is needed select the "Add".
In this way, additional entries can be configured
NOTE The configuration changes made here will need to the submit button selected - please follow the onscreen prompts
Optional Step 2.5: "Private Subnet Lists" - This section of config is only needed if using more than one subnet - This references the screenshot above.
From the LAN>Private Subnets page, select Modify in the "Private Subnet Lists" section:
List = ?all? (or a comma separated list of the local subnet definitions)
Name = textual_name (for self documentation purposes only)
NOTE The configuration changes made here will need to the submit button selected - please follow the onscreen prompts
Step 3 Navigate back to Expert Config>LAN/WAN, next select the NAT Configuration section which will load a new web page.
The LAN "subnet list" that is to be used must be configured in the LAN>NAT configuration table - this should match the list created in the previous step.
In the LAN 1 NAT Profiles section configure the Public IP address of the link that will be used by the Vega
Note This address will be specified in the SDP sent by the Vega to the Public IP based ITSP
NOTE The configuration changes made here will need to the submit button selected - please follow the onscreen prompts
Step 4 Navigate to Expert Config > LAN/WAN > "LAN Ports" - The range of IP Ports that are used by the Vega for the different VoIP functions.
The following table shows an example of the Vega IP ports and the IP Port translation through the NAT/PAT router that should be configured.
RTP Range 1 - This range of IP ports configured that the Vega will use for sending and receiving RTP streams from the LAN interface
SIP (UDP, TCP & TLS) - These ranges ranges specify the IP Ports that are available to be used by SIP.
Note The range of IP Ports will need to be at least double the maximum number of simultaneous calls (RTP range 1 will be sufficient for all except the 120 Channel Vega 400 which would also need RTP range 2).
To configure the Vega to use the following values:
For each LAN "Port Range" select the modify for the parameter and change the "Minimum" and "Maximum" port number which will define the range. The example below is given for RTP_Range 1:
With the Port Ranges configured, a list that collates the Port ranges to be used in the NAT environment must be configured. Navigate to Expert Config > LAN/WAN > LAN Ports.
> Select to add a new "Port Range List" next select "Modify". In the New port range list:
Name - Defines the list name for self identification.
List - This defines a list of Port Ranges - this will be by the NAT function to define which internal ports are to be used
NOTE The configuration changes made here will need to the submit button selected - please follow the onscreen prompts
Step 5 Next the port range configured above will be selected to be used by the Vega. Navigate to Expert Config > Advanced > Advanced Media Parameters select
Step 6 The Next step will configure the mapping of internal ports (defined in the previous steps) to External Ports that will be used on the NAT/PAT router.
Navigate to Expert Config > LAN/WAN > NAT. From the NAT page select "NAT Port Entry Configuration". For each internal port range configured in Step 4 a NAT Port Entry will need to be created referencing the NAT/PAT translated port range in the table above.
The default NAT Port entry list will use all NAT Port Entries configured. Below are examples of the NAT Port Entry configuration based on the example information above:
NOTE The configuration changes made here will need to the submit button selected - please follow the onscreen prompts
Step 7 The parameters to be configured by Quick config are complete - select the "Submit" button.
NOTE The Quick Config Submit creates a popup Click "OK" on the next window to apply the settings
NOTE The save process creates a select "Continue" on this window.
Checking the configuration
To check the configuration of the NAT/PAT related parameters, on the command line interface type:
?? status nat
or, on the web_browser, on the LAN>NAT page select NAT_status from the NAT Configuration
section.
nat status shows the currently active NAT status, so changes made will only show up in the
nat status information after an APPLY or has been executed.
The result will look something like this:
NAT Status
LAN NAT enable=1
NAT PROFILE LIST (1 profiles)
profile 1
external ip= 64.120.7.3 (40780703)
PORT ENTRY LIST (7 entries)
PORT ENTRY 1
protocol UDP
internal port range rtp_etc_data_1
min internal port 10000
max internal port 12999
min external port 20000
max external port 22999
external port offset 10000
PORT ENTRY 2
protocol UDP
internal port range rtp_etc_data_2
min internal port 15000
max internal port 19999
min external port 25000
max external port 29999
external port offset 10000
PORT ENTRY 3
protocol TCP
internal port range t38_tcp
min internal port 10000
max internal port 19999
min external port 20000
max external port 29999
external port offset 10000
PORT ENTRY 4
protocol TCP
internal port range web_browser
min internal port 80
max internal port 80
min external port 115
max external port 115
external port offset 35
PORT ENTRY 5
protocol UDP
internal port range sip_sig_udp
min internal port 5060
max internal port 5060
min external port 5070
max external port 5070
external port offset 10
PORT ENTRY 6
protocol TCP
internal port range sip_sig_tcp
min internal port 5060
max internal port 5060
min external port 5070
max external port 5070
external port offset 10
PORT ENTRY 7
protocol UDP
internal port range h323_sig
min internal port 1718
max internal port 1720
min external port 1728
max external port 1730
external port offset 10
PRIVATE SUBNET LIST (1 subnets)
subnet 1
subnet base addr = 136.170.209.0 (88aad100)
subnet mask = 255.255.255.0 (ffffff00)