One welcome improvement in Windows Server 2003 IPSec is its support of NAT traversal. What is NAT traversal, and how has support for it been improved?
2006-10-30 15:39:55 · 1 answers · asked by Karla 1 in Computers & Internet ➔ Computer Networking
NAT means that internet connections from your LAN out to the WAN (internet) are proxied through a router. The router does connection sharing, basically by using ports.
Lets say you have 2 computers on your LAN: A and B. The router has a real IP (let's pretend it's 100.23.22.7). A and B both have private network addresses, typically on the 192.168.0.x network. Let's pretend that they are 192.168.0.10 (A) and 192.168.0.11 (B).
The router's LAN IP will be 192.168.0.1, and this will also be the default gateway on the private network.
Now A wants to make a connection to www.yahoo.com. It doesn't know how to get there, so it sends the request to the default gateway, which is the NAT router. The NAT router connects to www.yahoo.com:80. What the www.yahoo.com router sees is a tcp connection from 100.23.22.7:1030 (or some such random port).
B also connects to yahoo, which the router also proxies, but this time the source port is 100.23.22.7:1031.
In this way NAT provides internet connection sharing transparently for all outbound connections.
The problem with NAT comes with peer to peer or callback protocols. This is because a callback is basically like a server running on your workstation. To understand this look at a protocol like the one used by AOL instant messenger.
You connect to the AIM server. Your friend connects to the AIM server. You each see each other in your buddy list. Your friend wants to talk to you. At this point AIM would like to tell your friend your IP address, and let him connect directly to you on a port#.
The problem when you're behind NAT, is that when your friend tries to connect to you via the IP, he can never reach your machine, because the IP he has is the IP of the NAT router. Unless the NAT router is listening on a port and then relaying it to your machine (port forwarding) the connection back to you will fail. For this reason protocols like AIM have proxied the connection through their server in those situations, but people often find that while basic chat will work, when they try and do something that requires a direct connection (file transfer for example) it mysteriously doesn't work for them.
This is where NAT traversal has come into play. NAT traversal requires routers to maintain a connection and leave outbound ports open for a period of time, and allow connections back to the router from IP's other than the original IP.
The idea is that in the peer to peer scenario described previously, when your friend wants to connect to you, the AOL server tells your AOL client to connect back to AOL on a new port.
Your applicaiton connects to aim.aol.com:2000, thinking that it is connecting to your friend. The outbound port the NAT firewall uses for this example is 100.23.22.7.
The AOL aim server then closes the tcp connection with you, without "officially" closing it, then tells your friend to connect back directly to you on port 100.23.22.7:1031.
When your friend connects to the port, the NAT router resumes the connection, even though it's to a totally different server.
The router maintains the connection to your workstation, and your workstation doesn't realize that originally it connected to the AOL server, and is now talking directly to your friend. Many protocols have these types of problems with NAT, so NAT traversal is being seen as a way of allowing peer to peer protocols for workstations behind a NAT router to work transparently.
2006-10-30 16:20:27 · answer #1 · answered by Gizmo L 4 · 0⤊ 0⤋