Lesson 3: Installing and Configuring NAT

The main function of NAT is to conserve limited IP address space. A secondary benefit of NAT is providing network connectivity without the need to understand IP routing or IP routing protocols. The NAT can be used without the knowledge or cooperation of an ISP. Contacting the ISP for the addition of static routes is not required. In this lesson, you learn how to install and configure NAT.

After this lesson, you will be able to

• Describe some design issues you should consider before implementing NAT
• Enable NAT addressing
• Configure interface IP address ranges
• Configure interface special ports
• Configure NAT network applications

Estimated lesson time: 20 minutes

Network Address Translation Design Considerations

A common use for NAT is Internet connectivity from a home or small network. To prevent problems, there are certain design issues you should consider before you implement NAT. For example, when using a NAT, private addresses are normally used on the internal network. As described in Lesson 1, private addresses are intended for internal networks, meaning those not directly connected to the Internet. It is recommended that you use these addresses instead of picking addresses at random to avoid potentially duplicating IP address assignment. Additionally, you should consider routing instead of a NAT because routing is fast and efficient, and IP was designed to be routed. However, routing requires valid IP addresses and considerable knowledge to be implemented.

IP Addressing Issues

You should use the following IP addresses from the InterNIC private IP network IDs: 10.0.0.0 with a subnet mask of 255.0.0.0, 172.16.0.0 with a subnet mask of 255.240.0.0, and 192.168.0.0 with a subnet mask of 255.255.0.0. By default, NAT uses the private network ID 192.168.0.0 with the subnet mask of 255.255.255.0 for the private network.

If you are using public IP networks that have not been allocated by the InterNIC or your ISP, you may be using the IP network ID of another organization on the Internet. This is known as illegal or overlapping IP addressing. If you are using overlapping public addresses, you cannot reach the Internet resources of the overlapping addresses. For example, if you use 1.0.0.0 with the subnet mask of 255.0.0.0, you cannot reach any Internet resources of the organization that is using the 1.0.0.0 network. You can also exclude specific IP addresses from the configured range. Excluded addresses are not allocated to private network hosts.

Follow these steps to configure the NAT server:

1. Install and enable Routing and Remote Access.

   In the Routing And Remote Access Server Setup wizard, choose the options for ICS and to set up a router with the NAT routing protocol. After the wizard is finished, all of the configuration for NAT is complete. You do not need to complete steps 2 through 8. If you have already enabled Routing and Remote Access, complete steps 2 through 8, as needed.

2. Configure the IP address of the home network interface.
3. For the IP address of the LAN adapter that connects to the home network, you need to configure the following:
   • IP address: 192.168.0.1
   • Subnet mask: 255.255.255.0
   • No default gateway

NOTE

---

The IP address in the preceding configuration for the home network interface is based on the default address range of 192.168.0.0 with a subnet mask of 255.255.255.0, which is configured for the addressing component of NAT. If you change this default address range, you should change the IP address of the private interface for the NAT computer to be the first IP address in the configured range. Using the first IP address in the range is a recommended practice, not a requirement of the NAT components.

4. Enable routing on your dial-up port.

   If your connection to the Internet is a permanent connection that appears in Windows 2000 as a LAN interface (such as DDS, T-Carrier, frame relay, permanent ISDN, xDSL, or cable modem), or if you are connecting your computer running Windows 2000 to another router before the connection to the Internet, and the LAN interface is configured with an IP address, subnet mask, and default gateway either statically or through DHCP, skip this step and proceed to step 6.

5. Create a demand-dial interface to connect to your ISP.

   You must create a demand-dial interface that is enabled for IP routing and uses your dial-up equipment and the credentials that you use to dial your ISP.

6. Create a default static route that uses the Internet interface.

   For a default static route, you need to select the demand-dial interface (for dial-up connections) or LAN interface (for permanent or intermediate router connections) that is used to connect to the Internet. The destination is 0.0.0.0 and the network mask is 0.0.0.0. For a demand-dial interface, the gateway IP address is not configurable.

7. Add the NAT routing protocol.

   Instructions for adding the NAT routing protocol are described in the next procedure.

8. Add your Internet and home network interfaces to the NAT routing protocol.
9. Enable NAT addressing and name resolution.

Follow these steps to add NAT as a routing protocol:

1. Click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.
2. In the console tree, click General under Routing And Remote Access\Server Name\IP Routing.
3. Right-click General, and then click New Routing Protocol.
4. In the Select Routing Protocol dialog box, click Network Address Translation, and then click OK.

Follow these steps to enable NAT addressing:

1. Click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.
2. In the console tree, click NAT.
3. Right-click NAT, and then click Properties.
4. In the Address Assignment tab, select the Automatically Assign IP Addresses By Using DHCP check box.
5. If applicable, in IP Address And Mask, configure the range of IP addresses to allocate to DHCP clients on the private network.
6. If applicable, click Exclude, configure the addresses to exclude from allocation to DHCP clients on the private network, and then click OK.

Single or Multiple Public Addresses

If you are using a single public IP address allocated by your ISP, no other IP address configuration is necessary. If you are using multiple IP addresses allocated by your ISP, you must configure the NAT interface with your range of public IP addresses. For the range of IP addresses given to you by your ISP, you must determine whether the range of public IP addresses can be expressed by using an IP address and a mask.

If you are allocated a number of addresses that have a power of 2 (2, 4, 8, 16, and so on), you can express the range by using a single IP address and mask. For example, if you are given the four public IP addresses 200.100.100.212, 200.100.100.213, 200.100.100.214, and 200.100.100.215 by your ISP, you can express these four addresses as 200.100.100.212 with a mask of 255.255.255.252. If your IP addresses are not expressible as an IP address and a subnet mask, you can enter them as a range or series of ranges by indicating the starting and ending IP addresses.

Follow these steps to configure interface IP address ranges:

1. Click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.
2. In the console tree, click NAT.
3. In the details pane, right-click the interface you want to configure, and then click Properties.
4. In the Address Pool tab, click Add.

   If you are using a range of IP addresses that can be expressed with an IP address and a subnet mask, in Start Address, type the starting IP address, and in Mask, type the subnet mask. However, if you are using a range of IP addresses that cannot be expressed with an IP address and a subnet mask, in Start Address, type the starting IP address, and in End Address, type the ending IP address.

Allowing Inbound Connections

Normal NAT usage from a home or small business allows outbound connections from the private network to the public network. Programs such as Web browsers that run from the private network create connections to Internet resources. The return traffic from the Internet can cross the NAT because the connection was initiated from the private network. To allow Internet users to access resources on your private network, you must do the following:

• Configure a static IP address configuration on the resource server including IP address (from the range of IP addresses allocated by the NAT computer), subnet mask (from the range of IP addresses allocated by the NAT computer), default gateway (the private IP address of the NAT computer), and DNS server (the private IP address of the NAT computer).
• Exclude the IP address being used by the resource computer from the range of IP addresses being allocated by the NAT computer.
• Configure a special port. A special port is a static mapping of a public address and port number to a private address and port number. A special port maps an inbound connection from an Internet user to a specific address on your private network. By using a special port, you can create a Web server on your private network that is accessible from the Internet.

Follow these steps to configure interface special ports:

1. Click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.
2. In the details pane, right-click the interface you want to configure, and then click Properties.
3. In the Special Ports tab, in Protocol, click either TCP or UDP, and then click Add.
4. In Incoming Port, type the port number of the incoming public traffic.
5. If a range of public IP addresses is configured, click On This Address Pool Entry, and then type the public IP address of the incoming public traffic.
6. In Outgoing Port, type the port number of the private network resource.
7. In Private Address, type the private address of the private network resource.

Configuring Applications and Services

You may need to configure applications and services to work properly across the Internet. For example, if users on your small office or home office network want to play the Diablo game with other users on the Internet, NAT must be configured for the Diablo application.

Follow these steps to configure NAT network applications:

1. Click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.
2. In the console tree, click NAT.
3. Right-click NAT, and then click Properties.
4. In the Translation tab, click Applications.
5. To add a network application, in the Applications dialog box, click Add.
6. In the Add Application dialog box, type the settings for the network application, and then click OK.

NOTE

---

You can also edit or remove an existing NAT network application by clicking Edit or Remove in the Applications dialog box.

Virtual Private Network Connections from a Translated Network

To access a private intranet using a VPN connection from a translated network, you can use the PPTP and create a VPN connection from a host on the internal network to the VPN server within the second private intranet. The NAT routing protocol has a NAT editor for PPTP traffic. Layer 2 Tunneling Protocol (L2TP) over IPSec connections do not work across the NAT server.

Virtual Private Networks and NATs

Not all traffic can by translated by the NAT. Some applications may have embedded IP addresses (not in the IP header) or may be encrypted. For these applications one can tunnel through the NAT using PPTP. PPTP does require an editor, which has been implemented in the NAT. Only the IP and Generic Routing Encapsulation (GRE) headers are edited or translated. The original IP datagram is not affected. This allows for encryption or otherwise unsupported applications to go through the NAT.

The source of the PPTP packets are translated to a NAT address. The encapsulated IP packet will have a source address assigned by the PPTP server. When the packet is beyond the PPTP server, the encapsulation is removed and the source address will be the one assigned by the PPTP server. If the PPTP server is using a pool of valid Internet addresses, the client now has a valid address and can go anywhere on the Internet. Any application will work, as the original IP datagram is not translated. Only the encapsulation or wrapper is translated by the NAT.

NOTE

---

L2TP does not require a NAT editor. However, L2TP with IPSec cannot be translated by the NAT. There cannot be a NAT editor for IPSec.

This method of NAT bypass is only useful if there is a PPTP server to tunnel to. This will be good for branch offices or home users tunneling to a corporate network, as illustrated in Figure 14.6.

Figure 14.6 Implementing a VPN through a NAT server

Lesson Summary

When using a NAT, private addresses are normally used on the internal network. It is recommended that you use these addresses on a private network instead of picking addresses at random because they are potentially duplicate addresses not valid on the Internet. To prevent problems, you should identify design issues before you implement NAT. Normal NAT usage from a home or small business allows outbound connections from the private network to the public network. You may need to configure applications and services to work properly across the Internet. In addition, remember that not all traffic can be translated by the NAT because some applications may have embedded IP addresses or may be encrypted. For these applications, you can tunnel through the NAT using PPTP.