Re: two way communication using NAT and port forwarding
From: Chris (chrisac@gmx.net)Date: 03/30/02
- Next message: bargepole: "Re: WinroutePro 4.1 and ICQ2001b (and 2000b)"
- Previous message: \: "Re: @Guard for xp"
- In reply to: Vikash K Agarwal: "two way communication using NAT and port forwarding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Chris" <chrisac@gmx.net> Date: Sat, 30 Mar 2002 14:24:52 -0000
"Vikash K Agarwal" <vikash.agarwal@tallysolutions.com> wrote in message
news:4a6c3c06.0203300553.223af6b9@posting.google.com...
> How does instant messengers like ICQ work from behind the firewall. It
> seems to be done using NAT or port forwarding. But i do not understand
> it clearly.
>
> Say
> 1. client messengers r running on 192.168.1.1, 192.168.1.2 and so on
> 2. There is a single public IP with firewall 202.54.54.1
> 3. A central server maintained by the creators of the messenger
> 111.111.111.111
>
>
> When the client messenger initiates a request from private IP like
> 192.168.1.1 the NAT at gateway/router/proxy will
> 1. do the translation to public IP from private IP
> 2. send and recv the response from server
> 3. do the transaction from private to public IP
> 4. the client recieves the response
>
> and everything looks fine BUT
>
> when the server (111.111.111.111) wants to send something to the
> client, the client is behind the firewall so all request by default
> will terminate at the firewall. Even if port forwarding is enabled the
> request will go to a fixed machine and port.
>
> The problem is that there are or may be multiple messeners clients
> behind the firewall and the server wants to communicate with a
> particular one or all which does not seem likely with port forwarding.
>
> what will the server need to send so that it can reach the targetted
> client like 192.168.1.1 behind the firewall.
>
> thx for help
>
> vikash
It's like any client server communication from behind a single IP address on
either a proxy or firewall, dynamic ports on the client side! Remember that
when multiple clients (like a 192.168.1.0 /24 range for example) are hiding
behind a single global IP (like maybe the outside IP address os a firewall)
you are then using Port Address Translation (PAT). So, if client 192.168.1.5
connects to the server at 111.111.111.111, it will be translated on the
firewall to 202.54.54.1 (using your example) with a dynamic port number of
maybe 1179, for example. If client 192.168.1.6 then initiates a connection
to the server at 111.111.111.111, it will also be translated to 212.54.54.1
on the firewall but the firewall will give this connection a different port
number, say 1180. The firewall then keeps a state table of connections. It
knows that it assigned the connection from 192.168.1.5 a port number of
1179, and the connection from 192.168.1.6 a port number of 1180.
So, the server at 111.111.111.111 see's two connection from 212.54.54.1. It
will see connections from 212.54.54.1:1179 and 212.54.54.1:1180. These are
two separate TCP connections.
When data is sent back to 212.54.54.1:1179, the firewall looks up that entry
in it's state table and see's that the internal client for that connection
is 192.168.1.5 and so translates the IP back to the local IP and passes the
data. The same goes for the reply traffic for 212.54.54.1:1180. The firewall
see's this incoming traffic and matches it to 192.168.1.6. This happens for
all clients for all connections to external servers.
I hope that this helps!
Chris.
- Next message: bargepole: "Re: WinroutePro 4.1 and ICQ2001b (and 2000b)"
- Previous message: \: "Re: @Guard for xp"
- In reply to: Vikash K Agarwal: "two way communication using NAT and port forwarding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
