RFC 7362 Latching: Hosted NAT Traversal (HNT) for Media in Real-Time Communication in Webex Calling

While reading RFC 7362 for Hosted NAT Traversal or commonly known “Media Latching” and looking how this concept works in Webex Calling solution, there is a difference. While traditionally when you have SBC or cube in you local network doing NAT, Media Latching lets the CUBE to modify the IP address inside the SDP body. But with Webex Calling could based solution the private IP address is not modified inside the SDP of the received SIP messages.

The question that arises, if your local gateway is not doing SIP ALG for Hosted NAT Traversal. How the Webex Calling SBC in Webex Cloud detects that there is NAT device and how it extracts the public IP of the IP Phone in order to stream media back since the private IP inside the received SIP messages’ s endpoint is not modified.

The answer is well documented in ” Cisco Preferred Architecture For Webex Calling”.

The Webex Calling SBC can detect NAT by checking the layer 3 transport addresses of received SIP signaling messages against the addresses contained within the SIP messages. Differing addresses point to the presence of NAT between the Webex Calling access and the endpoint or Local Gateway.

When an IP Phone sends a SIP signaling to negociate the IP/PORT, for example to be used for MEDIA, in most cases the IP address (in this example is private and the Webex Calling cannot use this address to stream media to IP PHONE because it is not routable over INTERNET. WEBEX CALLING SBC does not use STUN/TURN to determine the public IP address and port of the correcponding private IP address and port offered by the IP Phone.

To determine the public transport address to be used for return media, the Webex Calling SBC waits for the reception of the first media packet on negotiated IP/PORT, in this example in the previous SDP exchange, the first media packet send by the IP Phone has a source IP/PORT = and gets translated by the NAT device (local gateway) to a Public IP/Port =, and then Webex Calling SBC uses the source IP/PORT = = ( of the received media packet as the destination for media traffic sent back to the phone or Local Gateway).

The mechanism to get the Public IP/PORT for return media from the first received media packets instead of using STUN/TURN to modify the IP/PORT inside the SDP is called “Media Latching”.

Media Latching requires that the endpoints inside the corporate firewall always intiates media packets to the Webex Calling SBC before any media packets can be returned back to the endpoints.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s