Saturday, December 8, 2007

Supporting Network Address Translation (NAT)

Introducing NAT

NAT enables private IP addresses to be translated into public IP addresses for traffic to and from the Internet. This keeps traffic from passing directly to the internal network, while saving the small office or home office user the time and expense of getting and maintaining a public address range. This lesson provides an overview of NAT.

After this lesson, you will be able to

  • Describe the purpose of NAT
  • Identify the components of NAT
  • Describe how NAT works

Estimated lesson time: 45 minutes

Network Address Translation

Microsoft Windows 2000 Network Address Translation (NAT) allows computers on a small network, such as a small office or home office, to share a single Internet connection with only a single public IP address. The computer on which NAT is installed can act as a network address translator, a simplified DHCP server, a Domain Name System (DNS) proxy, and a Windows Internet Name Service (WINS) proxy. NAT allows host computers to share one or more publicly registered IP addresses, helping to conserve public address space.

Understanding Network Address Translation

With NAT in Windows 2000, you can configure your home network or small office network to share a single connection to the Internet. NAT consists of the following components:

  • Translation component. The Windows 2000 router on which NAT is enabled, hereafter called the NAT computer, acts as a network address translator, translating the IP addresses and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) port numbers of packets that are forwarded between the private network and the Internet.
  • Addressing component. The NAT computer provides IP address configuration information to the other computers on the home network. The addressing component is a simplified DHCP server that allocates an IP address, a subnet mask, a default gateway, and the IP address of a DNS server. You must configure computers on the home network as DHCP clients to receive the IP configuration automatically. The default TCP/IP configuration for computers running Windows 2000, Windows NT, Windows 95, and Windows 98 is as a DHCP client.
  • Name resolution component. The NAT computer becomes the DNS server for the other computers on the home network. When name resolution requests are received by the NAT computer, it forwards the name resolution requests to the Internet-based DNS server for which it is configured, and returns the responses to the home network computer.

How NAT Works

A network address translator is an IP router defined in RFC 1631 that can translate IP addresses and TCP/UDP port numbers of packets as they are being forwarded. Consider a small business network with multiple computers connecting to the Internet. A small business would normally have to obtain an ISP-allocated public IP address for each computer on its network. With NAT, however, the small business can use private addressing (as described in RFC 1597) and have the NAT map its private addresses to a single or to multiple public IP addresses as allocated by its ISP. For example, if a small business is using the 10.0.0.0 private network for its intranet and has been granted the public IP address of 198.200.200.1 by its ISP, the NAT maps (using static or dynamic mappings) all private IP addresses being used on network 10.0.0.0 to the public IP address of 198.200.200.1.

NAT Editors

In the case where the NAT component must additionally translate and adjust the payload beyond the IP, TCP, and UDP headers, a NAT editor is required. A NAT editor is an installable component that can properly modify otherwise nontranslatable payloads so that they can be forwarded across a NAT. Windows 2000 includes built-in NAT editors for the following protocols:

  • FTP
  • Internet Control Message Protocol (ICMP)
  • Point-to-Point Tunneling Protocol (PPTP)
  • NetBIOS over TCP/IP

Additionally, the NAT routing protocol includes proxy software for the following protocols:

  • H.323
  • Direct Play
  • Lightweight Directory Access Protocol (LDAP)-based Internet Locator Service (ILS) registration
  • Remote procedure call

Installing and Configuring NAT

The main intent of NAT is to save on the diminishing IP address space. A secondary benefit of NAT is providing network connectivity without the need to understand IP routing or IP routing protocols. The NAT can be used without the knowledge or cooperation of an ISP. Contacting the ISP for the addition of static routes is not required. In this lesson, you will learn how to install and configure NAT.

After this lesson, you will be able to

  • Describe some design issues you should consider before implementing NAT
  • Enable NAT addressing
  • Configure interface IP address ranges
  • Configure interface special ports
  • Configure NAT network applications

Estimated lesson time: 20 minutes

Network Address Translation Design Considerations

A common use for NAT is Internet connectivity from a home or small network. To prevent problems, there are certain design issues you should consider before you implement NAT. For example, when using a NAT, private addresses are normally used on the internal network. As described in Lesson 1, private addresses are intended for internal networks, meaning those not directly connected to the Internet. It is recommended that you use these addresses instead of picking addresses at random to avoid potentially duplicating IP address assignment. Additionally, you should consider routing instead of a NAT because routing is fast and efficient, and IP was designed to be routed. However, routing requires valid IP addresses and considerable knowledge to be implemented.

IP Addressing Issues

You should use the following IP addresses from the InterNIC private IP network IDs: 10.0.0.0 with a subnet mask of 255.0.0.0, 172.16.0.0 with a subnet mask of 255.240.0.0, and 192.168.0.0 with a subnet mask of 255.255.0.0. By default, NAT uses the private network ID 192.168.0.0 with the subnet mask of 255.255.255.0 for the private network.

If you are using public IP networks that have not been allocated by the InterNIC or your ISP, then you may be using the IP network ID of another organization on the Internet. This is known as illegal or overlapping IP addressing. If you are using overlapping public addresses, then you cannot reach the Internet resources of the overlapping addresses. For example, if you use 1.0.0.0 with the subnet mask of 255.0.0.0, then you cannot reach any Internet resources of the organization that is using the 1.0.0.0 network. You can also exclude specific IP addresses from the configured range. Excluded addresses are not allocated to private network hosts.

  • To configure the NAT server

    1. Install and enable Routing and Remote Access.

      In the Routing and Remote Access Server Setup Wizard, choose the options for ICS and to set up a router with the NAT routing protocol. After the wizard is finished, all of the configuration for NAT is complete. You do not need to complete steps 2 through 8. If you have already enabled Routing and Remote Access, then complete steps 2 through 8, as needed.

    2. Configure the IP address of the home network interface.

    3. For the IP address of the LAN adapter that connects to the home network, you need to configure the following:

      • IP address: 192.168.0.1
      • Subnet mask: 255.255.255.0
      • No default gateway

    1. Enable routing on your dial-up port.

      If your connection to the Internet is a permanent connection that appears in Windows 2000 as a LAN interface (such as DDS, T-Carrier, frame relay, permanent ISDN, xDSL, or cable modem), or if you are connecting your computer running Windows 2000 to another router before the connection to the Internet, and the LAN interface is configured with an IP address, subnet mask, and default gateway either statically or through DHCP, skip to step 6.

    2. Create a demand-dial interface to connect to your ISP.

      You must create a demand-dial interface that is enabled for IP routing and uses your dial-up equipment and the credentials that you use to dial your ISP.

    3. Create a default static route that uses the Internet interface.

      For a default static route, you need to select the demand-dial interface (for dial-up connections) or LAN interface (for permanent or intermediate router connections) that is used to connect to the Internet. The destination is 0.0.0.0 and the network mask is 0.0.0.0. For a demand-dial interface, the gateway IP address is not configurable.

    4. Add the NAT routing protocol.

      Instructions for adding the NAT routing protocol are described in the next procedure.

    5. Add your Internet and home network interfaces to the NAT routing protocol.

    6. Enable NAT addressing and name resolution.

  • To add NAT as a routing protocol

    1. Click Start, point to Programs, point to Administrative Tools, then click Routing and Remote Access.

    2. In the console tree, click General under Routing And Remote Access\Server Name\IP Routing.

    3. Right-click General, then click New Routing Protocol.

    4. In the Select Routing Protocol dialog box, click Network Address Translation, then click OmK.

  • To enable NAT addressing

    1. Click Start, point to Programs, point to Administrative Tools, then click Routing And Remote Access.

    2. In the console tree, click NAT.

    3. Right-click NAT, then click Properties.

    4. In the Address Assignment tab, select the Automatically Assign IP Addresses By Using DHCP check box.

    5. If applicable, in IP Address And Mask, configure the range of IP addresses to allocate to DHCP clients on the private network.

    6. If applicable, click Exclude, configure the addresses to exclude from allocation to DHCP clients on the private network, then click OK.
    • Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)