Re: two way communication using NAT and port forwarding

From: Vikash K Agarwal (vikash.agarwal@tallysolutions.com)
Date: 03/31/02

  • Next message: Cybernetics, Monmouth: "eay one!" 

    From: vikash.agarwal@tallysolutions.com (Vikash K Agarwal)
Date: 31 Mar 2002 02:36:24 -0800

    "Chris" <chrisac@gmx.net> wrote in message news:<uabilq31m3au9e@corp.supernews.com>...
    > "Vikash K Agarwal" <vikash.agarwal@tallysolutions.com> wrote in message
    > news:4a6c3c06.0203300553.223af6b9@posting.google.com...
    > > How does instant messengers like ICQ work from behind the firewall. It
    > > seems to be done using NAT or port forwarding. But i do not understand
    > > it clearly.
    > >
    > > Say
    > > 1. client messengers r running on 192.168.1.1, 192.168.1.2 and so on
    > > 2. There is a single public IP with firewall 202.54.54.1
    > > 3. A central server maintained by the creators of the messenger
    > > 111.111.111.111
    > >
    > >
    > > When the client messenger initiates a request from private IP like
    > > 192.168.1.1 the NAT at gateway/router/proxy will
    > > 1. do the translation to public IP from private IP
    > > 2. send and recv the response from server
    > > 3. do the transaction from private to public IP
    > > 4. the client recieves the response
    > >
    > > and everything looks fine BUT
    > >
    > > when the server (111.111.111.111) wants to send something to the
    > > client, the client is behind the firewall so all request by default
    > > will terminate at the firewall. Even if port forwarding is enabled the
    > > request will go to a fixed machine and port.
    > >
    > > The problem is that there are or may be multiple messeners clients
    > > behind the firewall and the server wants to communicate with a
    > > particular one or all which does not seem likely with port forwarding.
    > >
    > > what will the server need to send so that it can reach the targetted
    > > client like 192.168.1.1 behind the firewall.
    > >
    > > thx for help
    > >
    > > vikash
    >
    > It's like any client server communication from behind a single IP address on
    > either a proxy or firewall, dynamic ports on the client side! Remember that
    > when multiple clients (like a 192.168.1.0 /24 range for example) are hiding
    > behind a single global IP (like maybe the outside IP address os a firewall)
    > you are then using Port Address Translation (PAT). So, if client 192.168.1.5
    > connects to the server at 111.111.111.111, it will be translated on the
    > firewall to 202.54.54.1 (using your example) with a dynamic port number of
    > maybe 1179, for example. If client 192.168.1.6 then initiates a connection
    > to the server at 111.111.111.111, it will also be translated to 212.54.54.1
    > on the firewall but the firewall will give this connection a different port
    > number, say 1180. The firewall then keeps a state table of connections. It
    > knows that it assigned the connection from 192.168.1.5 a port number of
    > 1179, and the connection from 192.168.1.6 a port number of 1180.
    >
    > So, the server at 111.111.111.111 see's two connection from 212.54.54.1. It
    > will see connections from 212.54.54.1:1179 and 212.54.54.1:1180. These are
    > two separate TCP connections.
    >
    > When data is sent back to 212.54.54.1:1179, the firewall looks up that entry
    > in it's state table and see's that the internal client for that connection
    > is 192.168.1.5 and so translates the IP back to the local IP and passes the
    > data. The same goes for the reply traffic for 212.54.54.1:1180. The firewall
    > see's this incoming traffic and matches it to 192.168.1.6. This happens for
    > all clients for all connections to external servers.
    >
    > I hope that this helps!
    >
    > Chris.

    Thx Chris, but i m still not clear about the following:

    1. Does the server recieve it on different ports or
    does it see as being received from different ports?

    2. What happens if the server wants to initiate a request or push some
    information to the client. How does he know the port mapping in the
    first place. Or it is that all messengers have to login and this
    registers the port with the server?

    rgds
    Vikash

    Relevant Pages

    • Re: How to Maintain an IIS Server?
      ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
      (microsoft.public.inetserver.iis.security)
    • Re: CEICW fails at firewall config
      ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
      (microsoft.public.windows.server.sbs)
    • Re: How to Maintain an IIS Server?
      ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
      (microsoft.public.inetserver.iis.security)
    • RE: FTP Proxy
      ... >>client side or the server side, and what kind of border security ... > case that the firewall not only needs to recalculate TCP's ... Who said anything about PATCHING the PORT commands? ... >>server side has to allow arbitrary data connections to be opened. ...
      (Security-Basics)
    • Re: Unable to print to networked printer - get access denied messa
      ... Check the permissions on the server assuming the client has a true RPC ... How is the Standard TCP/IP port configured for the device? ...
      (microsoft.public.windowsxp.print_fax)