Installation manual

Because they have private addresses, and are therefore not accessible from outside the NAT,

terminals on the LAN cannot be reached by externally originating calls. Even if they initiate calls to

external terminals, a problem still arises. When the call is initiated, the IP address of the calling

terminal is contained in the payload of the packet sent. The destination terminal receives call setup

packets, examines them and starts to transmit audio and video towards the terminal from which the

call was received, and from which the IP address was obtained by examining the contents of the

received packets.

If this IP address is private, the router for Internet access discards the audio and video packets sent

from the terminal external to NAT towards the internal terminal because the packets sent were non-

routable. The connection between two terminals appears to be successful but in reality the NAT-

internal terminal never receives the audio or video from the external terminal.

Solution for the NAT/Firewall Problem

The only equipment that does not create any of the problems described above is a NAT/firewall

H.323-compatible device. Such a firewall does not block the TCP 1720 port and allows access to

the other, dynamically-determined H.323 ports.

Videoconferencing systems usually have private IP addresses that are not accessible from external

routers. To allow calls to function properly, the network administrator can define static NAT (a

permanent association between a private IP address and a public IP address reserved for H.323

videoconferences) for every terminal that must be accessible from an external connection.

The NAT device substitutes the static IP address in the payload and header setup packet sent from

the internal terminal to the external terminal. The destination terminal uses that address for

addressing the reply packets, which are routed through the NAT device to the internal terminal.

Firewall ALG

Application Level Gateways (ALGs) are firewalls programmed to recognize specific IP protocols

like H.323.

Instead of looking only at the information contained in packet headers to determine whether to

transmit or block packets, ALGs analyse in detail the data contained in the payload packet. The

H.323 protocol inserts important control information such as audio and video port identification in

the payload packets. The terminal expects to receive audio and video connections from the remote

calling terminal on these ports. By analysing which port the terminal expects to use, the ALG

dynamically opens only those ports, leaving the others closed to preserve network security. An

example of a firewall ALG follows.

The Aethra Application Level Gateway is present in the Aethra Stargate xDSL Router and allows

any videoconferencing terminal, independent of its manufacturer, resolve the NAT/firewall

problem. The Stargate router is capable of checking every incoming and outgoing H.323 call and

dynamically opening only the ports being used for the H.323 videoconference.

The Stargate router also supports NAT functionality and is therefore capable of substituting the

public NAT address for the private IP address automatically inserted in the H.323 payload packets

by the internal terminal. When the Aethra ALG functionality is used with an Aethra

videoconferencing system, the “Aethra NAT” function of the videoconferencing system must be

disabled because the network equipment is H.323 compatible.