Solved: A1: FTP and SIP use a control

David Imrie · ‎10-29-2014

Hi,

I was wondering if anyone could help me with a little theory on a common nat probem.

I hear that NAT can break when multiple hosts use the same applications such as FTP/SIP/instant messaging/Online Gaming, and I'd like to understand why.

Q1- I understand how typical 1 to many overloaded nat works but i don't get why these aplications have issues. Do they try to share a source port or something? The context which applies to me most is online gaming if that helps.

In the lay community upnp is hailed as the solution to this problem. But as far as i can tell upnp just allows some degree of automatic configuration using sub protocols in an insecure way.

Q2- can anyone tell me what upnp does specifically that actually fixes this issue?

I am trying to use a cisco 887VA as my home router which does not support upnp but does have a number of features to help sip & vpns traverse nat.

Q3- Does my 887VA have features that can be manually configured for an aplications such as skype, x-box live, or PC games. If so can you point me in the right direction, if not can you name a low cost device that can? eg an old asa?

At the moment, if I hit this issue the only thing I can think of is bridging the modem of the 887 through to an ethernet port. using a home router for nat, then looping this back in to another ethernet port on the router. which seems silly.

Any help greatly appreciated.

David

ghostinthenet · ‎10-31-2014

A1: FTP and SIP use a control port (21/tcp) to set up the details of what they're sending. Overloaded NAT doesn't have a problem with this. Once the details have been exchanged, both protocols use random agreed-upon ports for their payloads. This is where overloaded NAT breaks, mostly because the NAT engine has no understanding of how to correctly send the payload traffic to the proper destination.

A2: UPNP is essentially a low-level proxy on consumer-grade routers that allows applications to register the ports that they need directly with the router. This eliminates the need for the NAT engine to guess at the ports being used. Most business-grade routers don't support this because it allows users to forward anything they want to their own machines.

A3: The 887 has inspection features to be able to snoop the FTP and SIP control protocols in order to dynamically permit traffic, but this only exists for well-known protocols. Things like Xbox Live aren't going to be covered by this.

For your application, it sounds like a consumer-grade router fits your requirements better than what you're using.

View solution in original post

ghostinthenet · ‎10-31-2014

A1: FTP and SIP use a control port (21/tcp) to set up the details of what they're sending. Overloaded NAT doesn't have a problem with this. Once the details have been exchanged, both protocols use random agreed-upon ports for their payloads. This is where overloaded NAT breaks, mostly because the NAT engine has no understanding of how to correctly send the payload traffic to the proper destination.

A2: UPNP is essentially a low-level proxy on consumer-grade routers that allows applications to register the ports that they need directly with the router. This eliminates the need for the NAT engine to guess at the ports being used. Most business-grade routers don't support this because it allows users to forward anything they want to their own machines.

A3: The 887 has inspection features to be able to snoop the FTP and SIP control protocols in order to dynamically permit traffic, but this only exists for well-known protocols. Things like Xbox Live aren't going to be covered by this.

For your application, it sounds like a consumer-grade router fits your requirements better than what you're using.

David Imrie · ‎08-21-2015

Thanks for the explanation. To be honest, so far I have been using this router for a year and have experienced no NAT issues, The only issue I have recently come accross is the need to set up multicast routing to support IP TV services from my ISP.

Help with NAT theory