CHAPTER 12
SUPPORTING NETWORK ADDRESS TRANSLATION (NAT)
Lesson 1:
Introducing NAT
Network address translation (NAT) is a protocol that allows a network with private addresses to
access information on the Internet through an Internet Protocol (IP) translation process.
NAT enables private IP addresses to be translated into public IP addresses for traffic to and from
the Internet. This keeps traffic from passing directly to the internal network, while saving the small
office or home office user the time and expense of getting and maintaining a public address range.
Network Address Translation
Microsoft Windows 2000 Network Address Translation (NAT) allows computers on a small
network, such as a home user or a small office to share a single Internet connection with only a
single public IP address. Like for instance what I want to do at home when I add the other two
computers to the office.
The computer on which NAT is installed can act as a network address translator, a simplified
DHCP server, a Domain Name System (DNS) proxy, and a Windows Internet Name Service
(WINS) proxy.
NAT allows host computers to share one or more publicly registered IP addresses, helping to
conserve public address space.
Understanding Network Address Translation:
Translation component. The Windows 2000 router on which NAT is enabled, hereafter called
the NAT computer, acts as a network address translator, translating IP addresses and TCP/IP/UDP
port numbers of packets that are forwarded between the private network and the Internet.
Addressing component. The NAT computer provides IP address configuration information to the
other computers on the home network. The addressing component is a simplified DHCP server
that allocates an IP address, a subnet mask, a default gateway and the IP address of a DNS server.
=====================================================================
wininf12.html PAGE 2 2002/04/06
Name resolution component. The NAT computer becomes the DNS server for the other computers
on the home network. It works on behalf the client, and forwards to DNS server of ISP!
Routed and Translated
Internet Connections
There are two types of connections to the Internet: routed and translated.
Router: you will need a range of IP addresses from your ISP to use on the internal portion of your
network, and they will also give you the IP address of the DNC server you need to use.
Translated method: The translated method of NAT, gives you a more secure network because the
addresses of your private network are completely hidden from the Internet. However, be aware
that the NAT computer does not have the ability to translate all payloads. This is because some
applications use IP addresses in other fields besides the standard TCP/IP header fields.
The following protocols do not work with NAT:
If you have any non-DHCP computers on the network, then statically configure their IP address
configuration.
Public Addresses
Public addresses are assigned by InterNic and consist of class-based network IDs or blocks of
Classless Inter-Domain Routing (CIDR-based addresses) called CIDR blocks that are guaranteed
to be globally unique to the Internet.
Private Addresses
Each IP node requires and IP address that is globally unique to the IP internetwork.
The result was that most organizations only required a small amount of public addresses for those
nodes (such as proxies, routers, firewalls, and translators) that were directly connected to the Internet.
Reserved Addresses:
=====================================================================
wininf12.html PAGE 3 2002/04/06
10.0.0.0 – 10.255.255.255. Class A, used within a private organization.
172.16.0.0-172.31.255.255. Class B, used within a private organization.
192.168.0.0-192.168.255.255. Class C, used within a private organization.
Private addresses are not reachable on the Internet.
How NAT works
A network Address translator is an IP router defined in RFC 1631 that can translate IP addresses
and TCP/UDP port numbers of packets as they are being forwarded.
Static and Dynamic Address Mapping
NAT uses either static or dynamic mappings. For instance, to set up a Web server on a computer
on your private network, you create a static mapping that maps [Public IP address, TCP port 80]
to [Private IP address, TCP port 80]
Proper Translation of Header Fields
By default, a NAT translates IP addresses and TCP/UDP ports.
· Source IP address
· TCP, UDP, and IP checksum
· Source port
If the IP address and port information is only in the IP and TCP/UDP headers, with HTTP or
WWW traffic, the application protocol can be translated transparently.
NAT editors
In the case where the NAT component must additionally translate and adjust the payload beyond
the IP, TCP, and UDP headers, a NAT editor is required.
=====================================================================
wininf12.html PAGE 4 2002/04/06
Also:
H.323
Direct Play
LDAP
Remote Procedure call
NOTE: IPSec traffic is not translatable
A NAT example
If multiple private addresses are mapped to a single public address, NAT uses dynamically chosen
TCP and UDP ports to distinguish one intranet location from another.
**** See the diagram on page 309 ****
NAT processes in Windows 2000 Routing and Remote Access
For Windows 2000 Routing and Remote Access, the NAT component can be enabled by adding
NAT as a routing protocol in the Routing and Remote Access snap-in.
The editors modify the payload in two important ways:
numbers from the TCP/IP protocol stack when needed.
passed to the NAT component for translation.Outbound Internet Traffic
=====================================================================
wininf12.html PAGE 5 2002/04/06
For traffic from the private network that is outbound in the Internet interface, NAT first assesses
whether or not an address/port mapping, whether static or dynamic, already exists for the packet.
If a single public IP address is available, the NAT requests a new unique TCP or UDP port for
the public IP address and uses that as the mapped port.
If multiple public IP addresses are available, the NAT performs private-IP-address-to-public-IP
address mapping.
Inbound Internet Traffic
For traffic to the private network that is inbound on the Internet interface, the NAT first assesses
whether an address/port mapping, whether static or dynamic, exists for the packet. If a mapping
does not exist for the packet, it is silently discarded by the NAT.
The only way that Internet traffic is forwarded to the private network is either in response to
traffic initiated by a private network user that created a dynamic mapping, or because a static
mapping exists so the Internet users can access specific resources on the private network.
Additional NAT Routing Protocol Components
DHCP Allocator. Mini version of DHCP server, a simplified version that allocates an IP
address, a subnet mask, a default gateway and the IP address of a DNS server. DORA,
Discover, Offer, Request, and Acknowledgement. The DHCP allocator does not support
multiple scopes, superscopes, or multicast scopes.
DNS Proxy. The DNS proxy component acts as a DNS server to the computers on the
network.
Lesson Summary:
from the Internet.
=====================================================================
wininf12.html PAGE 6 2002/04/06
Lesson 2:
Installing Internet Connection Sharing
Internet Connection Sharing (ICS) is a feature of Network and Dial-up Connections.
Good for home users. You can hook up several computers, under 10, and network them.
Then on the server if you enable ICS they can all share the same Internet Connection.
Because ICS provides a translated connection, all of the computers on the network can access
Internet resources such as e-mail, Web sites, and FTP sites. ICS provides the following:
Each of the components provides a simplified configuration over a full version of DHCP, DNS,
and WINS servers.
Enabling Internet Connection Sharing
Before you enable ICS, consider the following:
You should not use the ICS feature in a network with other Windows 2000 Server domain
controllers, DNS servers, gateways, DHCP servers, or systems configured for static IP
When you enable ICS, the network adapter connected to the home or small office network is
given a new IP address configuration. Existing TCP/IP connections on the ICS computer are
lost and need to be reestablished.
To use the ICS feature, users on your home office or small office network must configure TCP/IP
on their local area connection to obtain an IP address automatically.
How to enable ICS
Start/Settings/Network and Dial-up Connections/VPN/Properties/Sharing, (100Mbps)check the box for
Enable Internet Connection Sharing for This Connection, check box.
=====================================================================
wininf12.html PAGE 7 2002/04/06
Internet Connection Sharing and NAT
To connect a small office or home office network to the Internet, you can use either a routed or
translated connection. For a routed connection, the computer running Windows 2000 Server
acts as an IP router that forwards packets between the internal network and the public Internet.
Translated connection, the computer running Windows 2000 server acts as a network address
translator. Translated connections that use computers running Windows 2000 Server require
less knowledge of IP addressing and routing, and provide a simplified configuration for hosts
and the Windows 2000 router.
ICS and NAT are features of Windows 2000 Server that are
designed to connect
networks to the Internet. ICS and NAT are not designed to:
Troubleshooting Connection Sharing (NAT)
Answer the following
questions:
Are all of your
interfaces (public and private) added to the Connection Sharing (NAT) routing
protocol? You must add both public (internet) and private (small office or home office)
interfaces to the Connection Sharing (NAT) routing protocol.
Is translation enabled on the Internet (external) interface? You need to verify that the interface
on the Windows router that connects to the Internet is configured for translation.
Is connection Sharing enabled on the Private (internal) interface? You need to verify the check
box is checked.
Is TCP/UDP port translation enabled? If you only have a single public IP address, you need
to verify that the Translate TCP/UDP Headers check box in the General tab of the Properties
of the External Interface dialog box is selected.
Is your range of public addresses set correctly? Verify the address pool of IP addresses is
correct.
Is the protocol being used by a program translatable? If you have some programs
that do not seem to work through the NAT, you can try running them from the NAT computer.
Is the Connection Sharing addressing enabled on the home office network? If static addresses
are not configured on the private network, verify that Connection Sharing addressing is enabled
on the interfaces corresponding to the private network.
=====================================================================
wininf12.html PAGE 8 2002/04/06
Lesson Summary:
ICS is a feature of Network and Dial-up Connections that allows you to use Windows 2000 to
connect your home network or small office network to the Internet.
Lesson 3:
Installing and Configuring NAT
The main intent of NAT is to save on the diminishing IP address space. A secondary benefit of
NAT is providing network connectivity without the need to understand IP routing or IP routing
protocols.
Network Address Translation Design Considerations
A common use for NAT is Internet connectivity from a home or small network. To prevent
problems, there are certain design issues you should consider before you implement NAT.
IP Addressing Issues
You should use the following IP addresses from the InterNIC private IP network IDs:
10.0.0.0 with a subnet mask of 255.0.0.0
172.16.0.0 with a subnet mask of 255.240.0.0
192.168.0.0 with a subnet mask of 255.255.0.0
By default, NAT uses the private network ID 192.168.0.0 with the subnet mask of
255.255.255.0 for the private network.
If you are using public IP networks that have not been allocated by the InterNIC or your ISP,
then you may be using the IP network ID of another organization on the Internet. This is
known as illegal or overlapping IP addressing.
=====================================================================
wininf12.html PAGE 9 2002/04/06
To configure the NAT server
Install and enable Routing and Remote Access.
Configure the IP address of the home network interface.
For the IP address of the LAN adapter that connects to the home network, you need to
configure the following:
IP address: 192.168.0.1
Subnet mask: 255.255.255.0
No default gateway.
To add NAT as a routing protocol:
Start/Programs/Administrative Tools/Routing and Remote Access/General/Routing and
Remote Access/serverName/IP routing.
To enable:
Go into the Properties of the NAT, select the automatically Assign IP addresses by using
DHCP check box. See the book page 322.
Single or Multiple Public Addresses
If you are using a single public IP address allocated by your ISP, no other IP address
onfiguration is necessary. If you are using multiple IP addresses allocated by your ISP,
then you must configure the NAT interface with your range of public IP addresses.
Allowing Inbound Connections
Normal NAT usage from a home or small business allows outbound connections from the
private network to the public network. To allow Internet users to access resources on
your private network, you must do the following:
=====================================================================
wininf12.html PAGE 10 2002/04/06
Exclude the IP address being used by the resource computer from the range of IP
addresses being allocated by the NAT computer.
number to a private address and port number.
Virtual Private Networks and NATs
Not all traffic can be translated by the NAT. Some applications may have embedded IP
addresses (not in the IP header) or may be encrypted. For these applications one can
tunnel through the NAT using PPTP.
NOTE: L2TP does not require a NAT editor. However, L2TP with IPSec cannot be
translated by the NAT. There cannot be a NAT editor for IPSec.
This method of NAT bypass is only useful if there is a PPTP server to tunnel to. This
will be good for branch offices or home users tunneling to a corporate network.
Lesson Summary:
addresses at random because they are potentially duplicate addresses not valid on the Internet.
the private network to the public network.
applications may have embedded IP addresses or may be encrypted. For these
applications you can tunnel through the NAT using PPTP.