NAT enables private IP addresses to be translated into public IP addresses for access to and from the Internet. This keeps traffic from passing directly to the internal network while saving the small office or home office user the time and expense of getting and maintaining a public address range. This lesson provides an overview of NAT.
After this lesson, you will be able to
Estimated lesson time: 45 minutes
NAT allows computers on a small network, such as a small office or home office, to share a single Internet connection with only a single public IP address. The computer on which NAT is installed can act as a network address translator, a simplified Dynamic Host Configuration Protocol (DHCP) server, a Domain Name System (DNS) proxy, and a Windows Internet Name Service (WINS) proxy. NAT allows host computers to share one or more publicly registered IP addresses, helping to conserve public address space.
With NAT in Windows 2000, you can configure your home network or small office network to share a single connection to the Internet. NAT consists of the following components:
There are two types of connections to the Internet: routed and translated. When planning for a routed connection, you need a range of IP addresses from your Internet service provider (ISP) to use on the internal portion of your network. Your ISP should also give you the IP address of the DNS server you need to use. You can either statically configure the IP address configuration of each computer or use a DHCP server.
The Windows 2000 router needs to be configured with a network adapter for the internal network (10 or 100 BaseT Ethernet, for example). It also needs to be configured with an Internet connection such as an analog or Integrated Services Digital Network (ISDN) modem, an xDSL modem, a cable modem, or a fractional T1 line.
The translated method, or NAT, gives you a more secure network because the addresses of your private network are completely hidden from the Internet. The connection-shared computer, which uses NAT, does all of the translation of Internet addresses to your private network, and vice versa. However, be aware that the NAT computer cannot translate all payloads. This is because some applications use IP addresses in fields other than the standard TCP/IP header fields.
The following protocols do not work with NAT:
The DHCP allocator functionality in NAT enables all DHCP clients in the network to automatically obtain an IP address, a subnet mask, a default gateway, and a DNS server address from the NAT computer. If you have any non-DHCP computers on the network, statically configure their IP address configuration.
To keep resource costs to a minimum on a small network, only one server running Windows 2000 is needed. Depending on whether you are running a translated or routed connection, this single server can suffice for NAT, Automatic Private IP Addressing (APIPA), Routing and Remote Access, and DHCP.
If your intranet is not connected to the Internet, any IP addressing can be deployed. If direct (routed) or indirect (proxy or translator) connectivity to the Internet is desired, there are two types of addresses you can use: public addresses and private addresses.
Public addresses are assigned by the Internet Network Information Center (InterNIC) and consist of class-based network IDs or blocks of Classless Inter-Domain Routing (CIDR)-based addresses (called CIDR blocks) that are guaranteed to be globally unique to the Internet. When the public addresses are assigned, routes are programmed into the routers of the Internet so that traffic to the assigned public addresses can reach its location. Traffic to destination public addresses is reachable on the Internet.
Each IP node requires an IP address that is globally unique to the IP internetwork. In the case of the Internet, each IP node on a network connected to the Internet requires an IP address that is globally unique to the Internet. As the Internet has grown, organizations connecting to the Internet have required a public address for each node on their intranets. This requirement has placed a huge demand on the pool of available public addresses.
When analyzing the addressing needs of organizations, the designers of the Internet noted that for many organizations, most of the hosts on the organization's intranet did not require direct connectivity to Internet hosts. Those hosts that did require a specific set of Internet services, such as World Wide Web access and e-mail, typically accessed the Internet services through application-layer gateways such as proxy servers and e-mail servers. The result was that most organizations only required a small number of public addresses for those nodes (such as proxies, routers, firewalls, and translators) that were directly connected to the Internet.
For the hosts within the organization that do not require direct access to the Internet, IP addresses that do not duplicate already assigned public addresses are required. To solve this addressing problem, the Internet designers reserved a portion of the IP address space and named this space the private address space. Private IP addresses are never assigned as public addresses. Because the public and private address spaces do not overlap, private addresses never duplicate public addresses. The following private IP address ranges are specified by Internet Request for Comments (RFC) 1918:
Private addresses are not reachable on the Internet. Therefore, Internet traffic from a host that has a private address must either send its requests to an application-layer gateway (such as a proxy server), which has a valid public address, or have its private address translated into a valid public address by a network address translator before it is sent on the Internet.
A network address translator is an IP router defined in RFC 1631 that can translate IP addresses and TCP/UDP port numbers of packets as they are being forwarded. Consider a small business network with multiple computers connecting to the Internet. A small business would normally have to obtain an ISP-allocated public IP address for each computer on its network. With NAT, however, the small business can use private addressing (as described in RFC 1597) and have the NAT map its private addresses to a single or to multiple public IP addresses as allocated by its ISP. For example, if a small business is using the 10.0.0.0 private network for its intranet and has been granted the public IP address of 126.96.36.199 by its ISP, the NAT maps (using static or dynamic mappings) all private IP addresses being used on network 10.0.0.0 to the public IP address of 188.8.131.52.
NAT can use either static or dynamic mapping. A static mapping is configured so that traffic is always mapped a specific way. You could map all traffic to and from a specific private network location to a specific Internet location. For instance, to set up a Web server on a computer on your private network, you create a static mapping that maps [Public IP Address, TCP Port 80] to [Private IP Address, TCP Port 80].
Dynamic mappings are created when users on the private network initiate traffic with Internet locations. The NAT service automatically adds these mappings to its mapping table and refreshes them with each use. Dynamic mappings that are not refreshed are removed from the NAT mapping table after a configurable amount of time. For TCP connections, the default time out is 24 hours. For UDP traffic, the default time out is 1 minute.
By default, NAT translates IP addresses and TCP/UDP ports. These modifications to the IP datagram require the modification and recalculation of the following fields in the IP, TCP, and UDP headers:
If the IP address and port information is only in the IP and TCP/UDP headers—for example, with Hypertext Transfer Protocol (HTTP) or World Wide Web traffic—the application protocol can be translated transparently. There are applications and protocols, however, that carry IP or port addressing information within their headers. File Transfer Protocol (FTP), for example, stores the dotted-decimal representation of IP addresses in the FTP header for the FTP port command. If the NAT does not properly translate the IP address, connectivity problems can occur. Additionally, in the case of FTP, because the IP address is stored in dotted-decimal format, the translated IP address in the FTP header can be a different size. Therefore, the NAT must also modify TCP sequence numbers to ensure that no data is lost.
In the case where the NAT component must also translate and adjust the payload beyond the IP, TCP, and UDP headers, a NAT editor is required. A NAT editor is an installable component that can properly modify otherwise nontranslatable payloads so that they can be forwarded across a NAT. Windows 2000 includes built-in NAT editors for the following protocols:
Additionally, the NAT routing protocol includes proxy software for the following protocols:
IPSec traffic is not translatable.
If a small business is using the 192.168.0.0 private network ID for its intranet and has been granted the public address of w1.x1.y1.z1 by its ISP, NAT maps all private addresses on 192.168.0.0 to the IP address of w1.x1.y1.z1. If multiple private addresses are mapped to a single public address, NAT uses dynamically chosen TCP and UDP ports to distinguish one intranet location from another. Figure 14.1 shows an example of using NAT to transparently connect an intranet to the Internet.
The use of w1.x1.y1.z1 and w2.x2.y2.z2 is intended to represent valid public IP addresses as allocated by InterNIC or an ISP.
Figure 14.1 Using NAT to connect an intranet transparently to the Internet
For Windows 2000 Routing and Remote Access, the NAT component can be enabled by adding NAT as a routing protocol in the Routing and Remote Access snap-in.
NAT services are also available with the Internet Connection Sharing feature available from the Network And Dial-Up Connections folder, as explained in Lesson 2. Internet Connection Sharing performs the same function as the NAT routing protocol in Routing and Remote Access but it allows very little configuration flexibility. For information about configuring Internet Connection Sharing and why you would choose Internet Connection Sharing over the NAT routing protocol of Routing and Remote Access, see Windows 2000 Server Help.
Installed with the NAT routing protocol are a series of NAT editors. NAT consults the editors when the payload of the packet being translated matches one of the installed editors. The editors modify the payload and return the result to the NAT component. NAT interacts with the TCP/IP protocol in two important ways:
Figure 14.2 shows the NAT components and their relation to TCP/IP and other router components.
Figure 14.2 NAT components
For traffic from the private network that is outbound on the Internet interface, NAT first assesses whether or not an address/port mapping, whether static or dynamic, already exists for the packet. If not, a dynamic mapping is created. The NAT creates a mapping depending on whether there are single or multiple public IP addresses available.
After mapping, the NAT checks for editors and invokes one if necessary. After editing, the NAT modifies the IP and TCP or UDP headers and forwards the packet using the Internet interface. Figure 14.3 shows NAT processing for outbound Internet traffic.
Figure 14.3 NAT processing of outbound Internet traffic
For traffic from the private network that is inbound on the Internet interface, the NAT first assesses whether an address/port mapping (whether static or dynamic) exists for the packet. If a mapping does not exist for the packet, it is silently discarded by the NAT.
This behavior protects the private network from malicious users on the Internet. The only way that Internet traffic is forwarded to the private network is either in response to traffic initiated by a private network user that created a dynamic mapping or because a static mapping exists so that Internet users can access specific resources on the private network.
After mapping, the NAT checks for editors and invokes one if necessary. After editing, the NAT modifies the TCP, UDP, and IP headers and forwards the frame using the private network interface. Figure 14.4 shows NAT processing for inbound Internet traffic.
Figure 14.4 NAT processing of inbound Internet traffic
To help simplify the configuration of small networks connecting to the Internet, the NAT routing protocol for Windows 2000 also includes a DHCP allocator and a DNS proxy.
The DHCP allocator component provides IP address configuration information to the other computers on the network. The DHCP allocator is a simplified DHCP server that allocates an IP address, a subnet mask, a default gateway, and the IP address of a DNS server. You must configure computers on the DHCP network as DHCP clients to receive the IP configuration automatically. The default TCP/IP configuration for Windows 2000, Windows NT, Windows 95, and Windows 98 computers is as a DHCP client.
Table 14.1 lists the DHCP options in the DHCPOFFER and DHCPACK messages issued by the DHCP allocator during the DHCP lease configuration process. You cannot modify these options or configure additional DHCP options.
Table 14.1 DHCP Lease Configuration Options
|Option number||Option value||Description|
|3||IP address of private interface||Router (default gateway)|
|6||IP address of private interface||DNS server (only issued if DNS proxy is enabled)|
|58 (0x3A)||5 minutes||Renewal time|
|59 (0x3B)||5 days||Rebinding time|
|51||7 days||IP address lease time|
|15 (0x0F)||Primary domain name of NAT computer||DNS domain|
The DHCP allocator only supports a single scope of IP addresses as configured from the Address Assignment tab in the Properties Of The Network Address Translation (NAT) Routing Protocol dialog box in the Routing and Remote Access snap-in. The DHCP allocator does not support multiple scopes, superscopes, or multicast scopes. If you need this functionality, you should install a DHCP server and disable the DHCP allocator component of the NAT routing protocol.
The DNS proxy component acts as a DNS server to the computers on the network. DNS queries sent by a computer to the NAT server are forwarded to the DNS server. Responses to DNS queries computers receive via the NAT server are re-sent to the original small office or home office computer.
NAT enables private IP addresses to be translated into public IP addresses for traffic to and from the Internet. This keeps the internal network secure from the Internet, while saving the user the time and expense of acquiring and maintaining a public address range. A small business would normally have to obtain an ISP-allocated public IP address for each computer on its network. With the NAT, however, the small business can use private addressing and have the NAT map its private addresses to a single or to multiple public IP addresses as allocated by its ISP.