Nortel 4134 用户指南
NAT Hairpinning
35
The preceding figure shows the following configuration scenario:
•
Each MCS server is behind a Firewall and NAT.
•
Trunk side SIP signaling involves Call Server to Call Server (MCS Server
1 to MCS Server 2) signaling during call setup.
1 to MCS Server 2) signaling during call setup.
•
Once call setup is complete, the RTP media path is established between
Soft Client A and Soft Client B.
Soft Client A and Soft Client B.
To enable SIP ALG at either firewall, you must configure the proxy NAT
address to be the IP address of the MCS server on the private side.
address to be the IP address of the MCS server on the private side.
Trunk side SIP traffic configuration tips
If MCS server is in private
network
•
If only Firewall is enabled, configure a inbound policy in ‘corp’ map to
allow packets on port 5060
allow packets on port 5060
•
If both Firewall and NAT are enabled, configure an inbound policy in
‘corp’ map to allow packets on port 5060 and reverse NAT to the MCS
server private address.
‘corp’ map to allow packets on port 5060 and reverse NAT to the MCS
server private address.
NAT Hairpinning
Hairpinning allows two endpoints on the internal side of the NAT to
communicate even if they only use external IP addresses and ports.
communicate even if they only use external IP addresses and ports.
If two hosts are behind a NAT and exchanging traffic, the NAT device may
allocate a public address and port for each of them to use. If the two hosts
communicate with each other via their public NAT addresses, hairpinning
allows the NAT device to receive and return the packets on the same
interface while translating the address and port mappings.
allocate a public address and port for each of them to use. If the two hosts
communicate with each other via their public NAT addresses, hairpinning
allows the NAT device to receive and return the packets on the same
interface while translating the address and port mappings.
To implement hairpinning on the SR4134, you must have one of the
following NAT traversal strategies in place:
following NAT traversal strategies in place:
•
STUN
•
SIP-ALG
Hairpinning is supported with the CS 1000 series call servers and Nortel
IP Phones implementing a STUN-aware protocol and with the MCS 5100
implementing SIP.
IP Phones implementing a STUN-aware protocol and with the MCS 5100
implementing SIP.
A limitation with SR4134 is that hairpinning and self policies are mutually
exclusive on the router. You must make a choose between either allowing
hairpinning or allowing inbound connections from the Internet to a self IP.
exclusive on the router. You must make a choose between either allowing
hairpinning or allowing inbound connections from the Internet to a self IP.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.