SIP and NAT: Why is it a problem?

Why is it a problem using SIP Clients behind NAT?

What is NAT?
To understand why SIP Clients behind NAT are a problem, you need to first have some understanding of what NAT is and what it does. NAT stands for Network Address Translation. Unless you are using One-to-one NAT, then a NAT device may also perform Port Address Translation (PAT). For a detailed explanation of NAT click here.

If you want, you can also read about the basics of how IP connections work here.

What does NAT do to IP packets sent from your IP phone to a host SIP server?
It substitutes a different (external) sender IP address and Port Number for the original internal addresses assigned when the data packet left your IP phone. It does this at the TCP/IP packet level, but SIP is a protocol that is embedded within the data payload of the IP packets and so, unless your NAT device is “SIP Aware”, it will not make changes to the IP address and port number used in the contact information embedded in the SIP messages. It is a bit like changing the “return address” on an envelope that you are mailing without also changing the sender’s address on the letter inside the envelope. The result is that you now have an inconsistency between the Sender IP address/port number shown inside the SIP message and the sender IP address/port number shown as the source of the IP packet at the TCP/IP level.

Why does it matter so much in SIP? Surely the same thing happens with Web Browsing.
Yes, the same thing does happen when you are browsing a web site using a PC connected to the Internet through a NAT device. However, the HTTP protocol used for web browsing is much less sensitive to the address substitutions made by the NAT device because it only requires the web server to be able to send responses straight back to your browser via the same ports that were used to start the dialogue.

Unfortunately, SIP is considerably more complicated than HTTP because it involves two-way negotiation between the client device and the server. An essential element of this negotiation is to establish the routing of the audio media streams. The audio streams use the RTP protocol and they are generally established directly between end-points using different ports to those used for the SIP messages. The RTP ports go into a “listening” state whereby they can accept a new connection from a remote device. The IP address and port number for RTP are sent to the other device within the SIP INVITE message. This is part of the call setup. The end-points should then connect to each other on the advertised ports to establish a two-way audio connection.

What happens in SIP that is so sensitive to address and port translations?
Two things that SIP does can be messed up by NAT:

First, your IP phone has registered itself with the SIP Registrar Server operated by your VoIP Service Provider because this allows your VoIP Service Provider to route inbound calls to your IP phone. (For an explanation of the registration process, click here). However, if the IP address given to the Registrar server is the private LAN address of the IP phone, not the address on the external interface of your NAT router, then the Service Provider may not be able to send SIP messages to your IP phone.

Second, when a SIP phone makes a call it sends a SIP INVITE request. Within that request, it also sends details of how it should be reached for the audio media stream as described above. The connection used for the SIP messages that start and end calls is not the same connection as is used to send the audio stream. The audio stream is always established on a new connection using a completely different port number. NAT routers normally allow outbound connections, but block inbound ones. This means your phone may be telling the remote device to open a media stream connection to it, but the remote device is unable to open the connection because it gets blocked by the NAT device.

What are the symptoms of a NAT related problem?

One of the most common symptoms is that someone calls your IP phone, it rings, you answer it and there is silence. A variation on this is that you answer it and there is 1-way audio – you can hear them but they can’t hear you, or vice versa.

Another symptom is that you can make calls to other people, but they cannot call you. A variation on this is that other people can call you in the first few minutes after your phone has registered, but not after 10 or 20 minutes.
You may also get a combination of both the above symptoms or their variants.

How do you overcome the problems of NAT traversal?

Follow this link to see how SIP phones and SIP service providers overcome NAT traversal problems.