The main function of NAT is to conserve limited IP address space. A secondary benefit of NAT is providing network connectivity without the need to understand IP routing or IP routing protocols. The NAT can be used without the knowledge or cooperation of an ISP. Contacting the ISP for the addition of static routes is not required. In this lesson, you learn how to install and configure NAT.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
A common use for NAT is Internet connectivity from a home or small network. To prevent problems, there are certain design issues you should consider before you implement NAT. For example, when using a NAT, private addresses are normally used on the internal network. As described in Lesson 1, private addresses are intended for internal networks, meaning those not directly connected to the Internet. It is recommended that you use these addresses instead of picking addresses at random to avoid potentially duplicating IP address assignment. Additionally, you should consider routing instead of a NAT because routing is fast and efficient, and IP was designed to be routed. However, routing requires valid IP addresses and considerable knowledge to be implemented.
You should use the following IP addresses from the InterNIC private IP network IDs: 10.0.0.0 with a subnet mask of 255.0.0.0, 172.16.0.0 with a subnet mask of 255.240.0.0, and 192.168.0.0 with a subnet mask of 255.255.0.0. By default, NAT uses the private network ID 192.168.0.0 with the subnet mask of 255.255.255.0 for the private network.
If you are using public IP networks that have not been allocated by the InterNIC or your ISP, you may be using the IP network ID of another organization on the Internet. This is known as illegal or overlapping IP addressing. If you are using overlapping public addresses, you cannot reach the Internet resources of the overlapping addresses. For example, if you use 220.127.116.11 with the subnet mask of 255.0.0.0, you cannot reach any Internet resources of the organization that is using the 18.104.22.168 network. You can also exclude specific IP addresses from the configured range. Excluded addresses are not allocated to private network hosts.
Follow these steps to configure the NAT server:
In the Routing And Remote Access Server Setup wizard, choose the options for ICS and to set up a router with the NAT routing protocol. After the wizard is finished, all of the configuration for NAT is complete. You do not need to complete steps 2 through 8. If you have already enabled Routing and Remote Access, complete steps 2 through 8, as needed.
The IP address in the preceding configuration for the home network interface is based on the default address range of 192.168.0.0 with a subnet mask of 255.255.255.0, which is configured for the addressing component of NAT. If you change this default address range, you should change the IP address of the private interface for the NAT computer to be the first IP address in the configured range. Using the first IP address in the range is a recommended practice, not a requirement of the NAT components.
If your connection to the Internet is a permanent connection that appears in Windows 2000 as a LAN interface (such as DDS, T-Carrier, frame relay, permanent ISDN, xDSL, or cable modem), or if you are connecting your computer running Windows 2000 to another router before the connection to the Internet, and the LAN interface is configured with an IP address, subnet mask, and default gateway either statically or through DHCP, skip this step and proceed to step 6.
You must create a demand-dial interface that is enabled for IP routing and uses your dial-up equipment and the credentials that you use to dial your ISP.
For a default static route, you need to select the demand-dial interface (for dial-up connections) or LAN interface (for permanent or intermediate router connections) that is used to connect to the Internet. The destination is 0.0.0.0 and the network mask is 0.0.0.0. For a demand-dial interface, the gateway IP address is not configurable.
Instructions for adding the NAT routing protocol are described in the next procedure.
Follow these steps to add NAT as a routing protocol:
Follow these steps to enable NAT addressing:
If you are using a single public IP address allocated by your ISP, no other IP address configuration is necessary. If you are using multiple IP addresses allocated by your ISP, you must configure the NAT interface with your range of public IP addresses. For the range of IP addresses given to you by your ISP, you must determine whether the range of public IP addresses can be expressed by using an IP address and a mask.
If you are allocated a number of addresses that have a power of 2 (2, 4, 8, 16, and so on), you can express the range by using a single IP address and mask. For example, if you are given the four public IP addresses 22.214.171.124, 126.96.36.199, 188.8.131.52, and 184.108.40.206 by your ISP, you can express these four addresses as 220.127.116.11 with a mask of 255.255.255.252. If your IP addresses are not expressible as an IP address and a subnet mask, you can enter them as a range or series of ranges by indicating the starting and ending IP addresses.
Follow these steps to configure interface IP address ranges:
If you are using a range of IP addresses that can be expressed with an IP address and a subnet mask, in Start Address, type the starting IP address, and in Mask, type the subnet mask. However, if you are using a range of IP addresses that cannot be expressed with an IP address and a subnet mask, in Start Address, type the starting IP address, and in End Address, type the ending IP address.
Normal NAT usage from a home or small business allows outbound connections from the private network to the public network. Programs such as Web browsers that run from the private network create connections to Internet resources. The return traffic from the Internet can cross the NAT because the connection was initiated from the private network. To allow Internet users to access resources on your private network, you must do the following:
Follow these steps to configure interface special ports:
You may need to configure applications and services to work properly across the Internet. For example, if users on your small office or home office network want to play the Diablo game with other users on the Internet, NAT must be configured for the Diablo application.
Follow these steps to configure NAT network applications:
You can also edit or remove an existing NAT network application by clicking Edit or Remove in the Applications dialog box.
To access a private intranet using a VPN connection from a translated network, you can use the PPTP and create a VPN connection from a host on the internal network to the VPN server within the second private intranet. The NAT routing protocol has a NAT editor for PPTP traffic. Layer 2 Tunneling Protocol (L2TP) over IPSec connections do not work across the NAT server.
Not all traffic can by translated by the NAT. Some applications may have embedded IP addresses (not in the IP header) or may be encrypted. For these applications one can tunnel through the NAT using PPTP. PPTP does require an editor, which has been implemented in the NAT. Only the IP and Generic Routing Encapsulation (GRE) headers are edited or translated. The original IP datagram is not affected. This allows for encryption or otherwise unsupported applications to go through the NAT.
The source of the PPTP packets are translated to a NAT address. The encapsulated IP packet will have a source address assigned by the PPTP server. When the packet is beyond the PPTP server, the encapsulation is removed and the source address will be the one assigned by the PPTP server. If the PPTP server is using a pool of valid Internet addresses, the client now has a valid address and can go anywhere on the Internet. Any application will work, as the original IP datagram is not translated. Only the encapsulation or wrapper is translated by the NAT.
L2TP does not require a NAT editor. However, L2TP with IPSec cannot be translated by the NAT. There cannot be a NAT editor for IPSec.
This method of NAT bypass is only useful if there is a PPTP server to tunnel to. This will be good for branch offices or home users tunneling to a corporate network, as illustrated in Figure 14.6.
Figure 14.6 Implementing a VPN through a NAT server
When using a NAT, private addresses are normally used on the internal network. It is recommended that you use these addresses on a private network instead of picking addresses at random because they are potentially duplicate addresses not valid on the Internet. To prevent problems, you should identify design issues before you implement NAT. Normal NAT usage from a home or small business allows outbound connections from the private network to the public network. You may need to configure applications and services to work properly across the Internet. In addition, remember that not all traffic can be translated by the NAT because some applications may have embedded IP addresses or may be encrypted. For these applications, you can tunnel through the NAT using PPTP.