This invention relates generally to network management and more particularly to managing devices across Network Address Translator (NAT) boundaries using tunnels.
A Network Management System (NMS) can manage many devices including computers and Internet Protocol (IP) telephones. Management can include network management, changing system settings, recording failures of network devices, discovering what hardware components are installed in network devices, discovering what software is installed on the device, etc.
FIG. 1A shows an NMS 3 used for managing computers 1 and 2. A table 5 stores the IP addresses of the devices managed by the NMS 3. The table 5 is shown in more detail in FIG. 1B and includes entries listing the IP addresses of the computers 1 and 2 managed by NMS 3. The NMS 3 communicates with the computers 1 and 2 using the public IP addresses X and Y, respectively. For example, the NMS uses IP address X in table 5 to communicate with computer 1.
Referring back to FIG. 1A, Network Address Translator (NAT) 20 and computers 16A and 16B reside within a private network 15. The NAT 20 has a public IP address 38 and assigns private IP addresses to computers 16A and 16B. The NAT 20 is designed for IP address simplification and conservation, by enabling the private IP network 15 to use non-registered (private) IP addresses. The NAT 20 operates as a router connecting the private network 15 together with the public network 14. The NAT 20 translates the private (not globally unique) addresses used in the private network 15 into public IP addresses. As part of this functionality, NAT 20 can be configured to advertise only one public address to the public network 14 that represents for the entire private network 15.
For example, computers 16A and 16B communicate over Internet network 14 using the public IP address 38 provided by the NAT 20. The NAT 20 receives a packet 7A from a device on private network 15, such as computer 16A. The packet 7A includes a private source address 8 and a destination IP address 9 for an endpoint such as IP phone 6, packet 7A also includes a payload 10. The NAT 20 reformats packet 7A into a packet 7B that replaces the private source address 8 with the NAT's public IP address 38 and a port number 40 that the NAT 20, associates with computer 16A. The NAT 20 then forwards the reformatted packet 7B to IP phone 6.
The IP phone 6 sends packets (not shown) back to the computer 16A that includes the public IP address 38 and port number 40 for the NAT 20. The NAT 20 receives and forwards the packet from IP phone 6 to computer 16A based on the port number 40.
The NMS 3 cannot manage computers 16A and 16B behind NAT 20 for several reasons. First, the table 5 in NMS 3 only includes public IP device addresses. The NMS 3 does not have the ability to obtain the private IP addresses and port numbers needed for communicating with computers 16A and 16B. Even if the NMS 3 could obtain the private IP addresses and port numbers associated with of computers 16A and 16B, these addresses are not routable from the NMS. Additionally, the private IP addresses may be dynamically reassigned whenever the NAT 20 is reset. Port numbers are also typically refreshed in unison with the private IP address reassignment.
Because of the foregoing limitations, network management servers are unable to manage devices operating in private networks behind NATs. The disclosure that follows solves this and other problems associated with the prior art.