Windows 2000's Network Address Translation (NAT) - 23 Dec 1999Windows 2000's Network Address Translation (NAT) - 23 Dec 1999
Microsoft's implemetation of NAT provides the simplicity, flexibility, and low cost of the traditional Network Address Translator Internet standard. Microsoft has added more features to its flavor of NAT to make it easier to use.
December 23, 1999
An inexpensive way to get an Internet connection
For years, small office/home office (SOHO) networks have used dial-up modems or ISDN to access the Internet. Compared with newer options such as cable modems and asymmetric digital subscriber lines (ADSLs), dial-up solutions are complex and require you to have a certain level of OS, TCP/IP, hardware, and application expertise. Dial-up solutions also require the costly addition of items such as telephone lines, modems, ISDN connections, and ISP accounts.
In Windows 2000 Server (Win2K Server), Microsoft offers you two ways to connect SOHO networks to the Internet: You can use a routed connection or a translated connection. With routed connections, Win2K Server acts as an IP router and forwards packets from SOHO clients to the hosts on the Internet. Routed connections let servers forward all IP traffic to the Internet. However, setting up routed connections requires knowledge of IP networking and routing. With translated connections, Win2K Server acts as an IP router and translates packets from the SOHO hosts to the Internet hosts. Unlike routed connections, translated connections might not permit servers to translate all IP traffic.
In Win2K Server Release Candidate 2 (RC2), build 2128, you can use Microsoft Internet Connection Sharing (ICS) or Network Address Translation (NAT) to configure translated connections to the Internet. ICS is a feature of the Network and Dial-Up Connections tool. NAT is a routing protocol that you configure through the Routing and Remote Access window, which Screen 1 shows. NAT is Microsoft's variation of the Internet Engineering Task Force's (IETF's) Network Address Translator standard, which provides Internet connectivity in a simple, flexible, and inexpensive way. Microsoft uses the term ICS for what the company called Shared Access and uses the term NAT for what the company called Connection Sharing in early builds of Win2K Server.
The main purpose of the ICS and NAT services is to share a network connection that acts as a gateway or router to provide transparent Internet connectivity to clients on one subnet. The clients on the internal network don't need modems, extra phone lines, or valid IP addresses to directly connect to the Internet. The clients can simply proxy through the NAT server to access the external network.
NAT Background
In Request for Comments (RFC) 1631, the IETF describes several variations of Network Address Translator. The variations include traditional Network Address Translator, two-way Network Address Translator, twin Network Address Translator, host Network Address Translator, and host Network Address Port Translation (NAPT). Traditional Network Address Translator lets hosts on a private network (e.g., a LAN) access hosts on an external public network (e.g., the Internet). Traditional Network Address Translator permits only outbound sessions from the private network to the public network. A two-way Network Address Translator, as its name suggests, permits sessions in both directions: inbound and outbound. Twin Network Address Translator lets you change information in both the source and destination IP address fields, so you use twin Network Address Translator when address assignments between disparate domains overlap. Host Network Address Translator and host NAPT let you use security mechanisms such as IP Security (IPSec) and DNS Security (DNSsec) in a Network Address Translator environment.
Microsoft's implementation of NAT in Windows 2000 (Win2K) fits somewhere between a traditional Network Address Translator and a two-way Network Address Translator. Microsoft has added many more features to its flavor of NAT to make it easier to use.
Internet Connection Sharing
Let's take a closer look at Microsoft's ICS service in Win2K as a method to translate packets for Internet connectivity. Depending on your situation, you might prefer ICS to NAT. You can think of ICS as NAT light. To configure ICS, you simply select a check box to enable shared Internet access.
Keep in mind that ICS and NAT are mutually exclusive—you can't run both on the same machine. Although these services have a similar purpose, NAT has some functions that ICS doesn't have. For example, you can't configure multiple public IP addresses in ICS, and ICS doesn't support WINS proxy agents. The ICS clients use mixed-node NetBIOS for name resolution on a SOHO network.
The purpose of ICS is to let your clients on the internal network have transparent access to the Internet. You don't need to be a network guru to set up ICS. To set up an ICS server, your ICS computer must have at least two interfaces. One of them must be a NIC, and the other can be any other interface (e.g., dial-up adapter, Digital Subscriber Line—DSL—adapter, another NIC, ISDN adapter).
You enable ICS on the external interface. When you configure the external interface for ICS, you automatically configure the internal interface on the ICS server with the IP address 192.168.0.1 and a subnet mask of 255.255.255.0. You also configure the clients to obtain an IP address from a DHCP server. The ICS server automatically assigns IP addresses to the private clients from the class C network range (i.e., 192.168.0.0 to 192.168.255.255), and the clients automatically obtain the IP address of the ICS server for DNS name resolution. None of these parameters on the ICS server are configurable. Therefore, you can't disable DNS proxy services, modify the range of client-assigned IP addresses, configure port mappings, or disable the DHCP allocator. Table 1 shows a typical ICS client configuration on a private network.
To configure ICS for a dial-up connection in Win2K, select Start, Settings, Network and Dial-Up Connections. Next, double-click Make New Connection. Using the Network Connection Wizard, select an appropriate Network Connection Type, as Screen 2 shows. For example, you can choose Dial-up to private network (and you'll need to enter a number in the Phone Number to Dial dialog box). The Connection Availability dialog box gives you two options for the connection: For all users or Only for myself. In the next dialog box, select the Enable Internet Connection Sharing for this connection check box, as Screen 3 shows. To configure ICS, you need to set the LAN adapter on the private network to 192.168.0.1. A pop-up message warns you of the consequences of other clients on your SOHO network using a different address range. To configure ICS on your machine, click Yes. You want to enable ICS only on the external interface. Incorrect configuration of ICS can cause clients outside your SOHO network (e.g., other DSL users in your neighborhood) to obtain IP addresses from your DHCP allocator. If you no longer want your computer to serve as an ICS server, you can go to the network interface's Properties dialog box, select the Sharing tab, and clear the Enable Internet Connection Sharing for this connection check box.
If you're running a small network and can't afford to hire a network administrator, you can easily configure ICS and access the Internet from your network clients without knowing much about TCP/IP, DNS, WINS, or browser configuration. SOHO businesses can benefit from such a solution. But if you want more control of your environment, you need to use NAT instead of ICS.
Network Address Translation
NAT offers all the features that ICS offers, and more. NAT keeps track of the address and port translations for outbound connections so that the proper clients on the private network receive the packets back from the external network.
To provide address translation for the internal clients on a network, NAT translates the private IP addresses in the IP headers to a single public address. The clients access the Internet transparently without requiring additional software. The NAT server acts as a router and can also translate TCP or UDP ports for the clients. This approach might sound similar to the services that Microsoft Proxy Server offers. The two services have some differences, but they offer similar functionality and a NAT server isn't an alternative to Proxy Server.
To install NAT in Win2K, select Start, Programs, Administrative Tools. Open the Routing and Remote Access window, add your server, right-click the server name, and select Configure and Enable Routing and Remote Access. After you install RRAS, the program prompts you to start the service. After you start, go to IP Routing and right-click General. Select New Routing Protocol, select Network Address Translation (NAT), as Screen 4, page 143 shows, and click OK. Next, under IP Routing, right-click Network Address Translation (NAT) and add the interfaces (at least two).
Figure 1 shows a typical SOHO configuration with two NICs. The internal interface represents the private NIC and uses a static IP address of 192.168.0.1 to connect to the network. The external interface represents the public NIC and uses a DSL connection to an ISP using a static IP address to the Internet, such as 10.10.10.1 (this example address isn't valid on the Internet). Generally, your ISP assigns this static IP address.
To configure an external interface from the interface's Properties dialog box, select the General tab, choose Public interface connected to the Internet, and click OK. To configure an internal interface, select the General tab, choose Private interface connected to private network, and click OK. These two options are mutually exclusive.
Now you're ready to configure additional options for NAT. After you right-click Network Address Translation (NAT) and select Properties, four tabs are available for configuration: General, Translation, Address Assignment, and Name Resolution. The General tab has four logging options that are fairly self-explanatory. These options provide levels of logging to Win2K's Event Viewer. The Translation tab lets you set TCP and UDP session timeout values and specifies how long a dynamic mapping for a TCP or UDP session remains in the NAT server's internal routing table. The default for connection-oriented TCP sessions is 1440 minutes (24 hours), and the default for connectionless UDP sessions is 1 minute.
The Address Assignment tab, which Screen 5 shows, lets you automatically assign IP addresses to your internal clients. When you select the Automatically assign IP addresses by using DHCP check box, you enable the DHCP allocator. Screen 5 shows the NAT server with a static IP address of 192.168.0.0 and a subnet mask of 255.255.255.0. To avoid duplicate IP addresses on your internal network, you can use the Exclude option to exclude a range of IP addresses that are already in use on your private network. Microsoft suggests you add the NAT server's IP address (e.g., 192.168.0.1) to the list of reserved IP addresses. The Address Assignment tab gives the impression that you need a DHCP server on your private network because the dialog box says that you're configuring this option to use DHCP for automatic address assignment. In fact, you don't need a DHCP server on the private network. When you select the Automatically assign IP addresses by using DHCP check box, you enable a DHCP allocator that functions as a limited DHCP server.
The Name Resolution tab lets you resolve names to addresses for either Windows or TCP/IP networking clients. The NAT server can act as a DNS or WINS proxy agent for your private clients. The WINS proxy service that the NAT server offers isn't the same as the WINS proxy service available in Windows NT versions. NAT automatically configures the clients with the NAT server IP address as their WINS server. In a SOHO network, the WINS server address will be 192.168.0.1, which Table 1 shows. The second difference is that the clients merely think that the server is their WINS server. The NAT server will query the WINS server set in its IP configuration and return the results to the clients. (The client queries the WINS server and doesn't register its address with the WINS server.)
The WINS proxy service in NAT drops clients' name registrations, so the records don't stay in the WINS database. Because your clients never register with the WINS server on your private network, you might not be able to connect to a private client by name (e.g., \serversharename). Therefore, you must have a method to resolve names on the private network. One solution is to use IP addresses instead of names to connect to other machines (e.g., \192.168.0.3data). Another option is to use the LMHOSTS file. I prefer to use DHCP to assign a WINS address to a client.
The DNS proxy works similarly to a WINS proxy in which the clients send DNS queries to the NAT server. To respond to the client queries, the NAT server queries the DNS server set in its IP configuration (e.g., an ISP's DNS server) and returns the results to the clients. Unless you enable this option, the clients on the private network won't be able to resolve host names on the Internet (unless you have an alternative method in place to provide name resolution). You can make your NAT server a DNS server. In case your server can't resolve the DNS queries, you want to configure your DNS server to forward requests to another DNS server, such as an ISP's DNS server.
DHCP Allocator
NAT and ICS include a DHCP allocator that acts like a DHCP server. The DHCP allocator leases IP addresses to the clients from the range that you configure using the Address Assignment tab. Think of the DHCP allocator as limited DHCP (or DHCP light). Unlike DHCP server, the allocator doesn't have a configurable database. All DHCP allocator parameter configurations are automatic, including DNS and WINS proxy. You can use any range of IP addresses on the internal interface with the DHCP allocator, but I recommend that you use only nonroutable private IP address ranges, which RFC 1918 defines.
The default network ID range in NAT is an area in which Microsoft made changes in the Win2K beta releases. Early builds used a class C address range. In later builds, Microsoft decided to use a class B private network ID range (169.254.0.0 to 169.254.255.255). Microsoft switched to this class B range because the Win2K and Windows 98 clients use this range for auto-IP configuration, and when NAT uses this range, communication is easier. In Win2K RC2, Microsoft returned to class C as the default IP address range, as Screen 5 shows. The DHCP allocator issues clients several IP configuration options. Table 1 shows a default configuration for a NAT client on a private network.
You can right-click Network Address Translation (NAT) in the Routing and Remote Access window to view the DHCP allocator or DNS proxy information. You can also use the Netsh command to administer IP settings. For example, you can run Netsh, then type
routing ip autodhcp show global
to see the DHCP allocator configuration information. You can run Netsh, then type a question mark to see the available options.
What if you want to use DHCP server on your internal network? Does using DHCP cause any conflicts? If you have routers, DNS servers, or DHCP servers on your network, you might run into some problems. The NAT server will try to detect these competing services, and if successful, it will shut down its services. The NAT server uses Internet Control Message Protocol (ICMP) Router Solicitation and DHCP Discover packets to detect these services.
To use the DHCP server on your Win2K server instead of enabling the DHCP allocator, select the Automatically assign IP addresses by using DHCP check box. I prefer to use a DHCP server for several reasons. A Win2K DHCP server can dynamically register earlier-version clients with Win2K's dynamic DNS (DDNS) server. A DHCP server also offers control over DHCP options that the DHCP allocator doesn't offer, such as providing a domain name to the clients or changing the IP lease period.
You can also assign a different DHCP or WINS server. Using DHCP to assign a WINS server to clients provides easier name resolution for internal clients. If you use the WINS proxy service (instead of using DHCP options to give a WINS server's address to clients), the clients don't register and the service can't resolve names. If you set a WINS server's address as part of the DHCP options, the clients register with the WINS server, and name resolution becomes transparent.
When using a DNS server, I use DHCP options to provide the IP address of my ISP's DNS server to my private clients. To use a DHCP server instead of the DHCP allocator, select the Address Assignment tab from NAT Properties, clear the Automatically assign IP addresses by using DHCP check box, and install DHCP server on your internal network. For a SOHO environment, the NAT server can also serve as a DNS, WINS, and DHCP server. You can configure the clients to obtain IP information from a DHCP server. Table 1 shows a default client configuration using a DHCP server.
Packet Translation
The NAT server needs to translate all packets from a nonroutable IP address range on the private network to a valid IP address on the Internet. The server can transparently translate packets that contain IP address, TCP port, and UDP port information in the IP, TCP, and UDP headers, respectively. If the application contains the IP address, TCP port, or UDP port information in the application's header (instead of the IP header), the NAT server might not be able to properly translate these packets, such as FTP packets.
A NAT editor component can properly translate packets that your NAT server can't otherwise translate. For translation, NAT servers require that packets have an IP address in the IP header, TCP port numbers in TCP header, and UDP port numbers in the UDP headers. All other packets require a NAT editor. HTTP doesn't require a NAT editor because HTTP requires translation of an IP address in an IP header and TCP port in a TCP header. PPTP doesn't use a TCP or UDP header. Instead, PPTP uses a Generic Routing Encapsulation (GRE) header. The tunnel ID in the GRE header identifies the data. If NAT is unable to translate the tunnel ID within the GRE header, you'll experience connectivity problems. Because NAT can't translate tunnel ID for PPTP packets, you need a NAT editor for proper translation.
Win2K comes with built-in NAT editors for FTP, ICMP, and PPTP. Microsoft plans to make NAT editor APIs available to third-party vendors to develop additional NAT editors. Currently, no NAT editors are available for IPSec, Lightweight Directory Access Protocol (LDAP), COM, remote procedure call (RPC), or SNMP.
To use encrypted applications or applications that don't contain the IP addresses in the IP headers, you can use PPTP to tunnel through the server. Layer 2 Tunneling Protocol (L2TP), which comes with Win2K, doesn't require a NAT editor, so you can transparently use L2TP. However, you can't use L2TP with IPSec because the server can't translate the packets (IPSec doesn't have a NAT editor). Although you can't use IPSec for security with NAT, you can use Secure Sockets Layer (SSL) to encrypt Web-based applications. You can't authenticate to a Win2K domain controller across a NAT server because the NAT server doesn't translate Kerberos 5 packets, which Win2K domain controllers use.
Address and Port Translation
NAT lets you translate specific addresses and ports. Typically, the NAT server performs address and port translations. You can also configure the server for address mapping, rather than translation. With address mapping, you can map the private internal addresses to a pool of public Internet addresses. This method is more scalable than the address and port translation method. Address mapping lets you map multiple incoming connections to the same port or service. However, address mapping is fairly complex and requires your ISP to add static routes for the pool of IP addresses that your NAT server uses.
You can use the Address Pool tab of an interface's Properties dialog box to configure the server to use address translation mode. For example, you can define an address range to configure a pool of addresses. Then, clients will dynamically use a unique public address from this pool, unless you reserve certain addresses for specific machines. Reserving an address is a way to provide connections from the Internet to your private network. You can also use special port mapping by selecting the Special Ports tab of the interface's Properties dialog box, as Screen 6 shows. TCP packets arriving from the Internet on Public Port 80 of the Interface's address will be directed to Private Port 1080 of a client that has an IP address of 192.168.0.25. In addition, the TCP packets arriving on Public Port 20 will be directed to Private Port 2121 of 192.168.0.25.
Comparing NAT with ICS and Proxy Server
ICS is simple to configure and requires you to select only one check box. NAT's manual configuration requires more expertise. In a SOHO network, you can use ICS with one LAN adapter. The second interface can be a modem. You typically use a NAT server with multiple interfaces. With ICS, you can use only one public IP address. NAT supports multiple public IP addresses. ICS supports only a fixed range of IP addresses (e.g., 192.168.0.0 to 192.168.255.255) for clients on the private network. NAT allows a range that you can configure to suit your needs. Finally, NAT offers support for both DNS and WINS proxy services. ICS supports only DNS proxy services.
NAT and Proxy Server offer similar functionality. Both services let a small private network or SOHO network use one machine as a proxy to transparently connect to the Internet. With NAT, you don't need to install or configure additional software. The only stipulation is that the clients must be DHCP-aware (i.e., configured to obtain an IP address from a DHCP server). With Proxy Server, you need to configure the clients' browsers to use the proxy server. The only exceptions are Win2K clients that can automatically look for a proxy server and self-configure the client's browser.
Proxy Server can be more expensive for SOHO networks, so you'll have to consider the trade-offs. In large or secure environments, Proxy Server might be a better choice because of its superior filtering and caching capabilities. However, for home businesses or smaller networks in which security requirements aren't as stringent, NAT seems to be a better choice because of its simplicity, cost, and ease of administration.
I prefer NAT for several reasons. The main reason is that NAT lets me use PPTP from a NAT client to connect to a corporate network on the Internet, which gives me secure access to my corporate network for transferring files, using a Microsoft Outlook client, printing, or running custom applications. A proxy server doesn't let a proxy client use PPTP to tunnel through a proxy server. You can use a proxy server only to make a PPTP connection to your corporate network. Similar to Proxy Server, the NAT server still gives you the ability to use SSL transparently from any client in a SOHO to do many things, such as trade stock, bank online, or run Web-based e-commerce applications. NAT also offers a certain level of security.
Troubleshooting NAT
If your clients can't get an IP address from the NAT server, verify that you selected the Automatically assign IP addresses by using DHCP check box. If your server can't translate the addresses, verify that you properly enabled the translation on both interfaces. Check the internal interface's Properties dialog box to ensure that you selected Private interface connected to private network, and check the external interface's Properties dialog box to ensure that you selected Public interface connected to the Internet. Also, check the status of the interfaces in the Routing and Remote Access window. The Status column should show Enabled, and the Connection State column should show Connected.
If an application doesn't work through the NAT server, try to use the application on the NAT server. If the application works from the NAT server but not from the private network, it might require a NAT editor.
I find that naming my public interface and private interface is useful. To name your interfaces, go to Start, Settings, Network and Dial-Up Connections. You can also select Show icon in taskbar when connected from the General tab of the interface's Properties dialog box. Naming your interfaces will help you monitor all your active connections easily. When you move your cursor to an interface icon in the taskbar, the icon will show you the name of the interface, the speed of your connection, and the number of packets sent and received. The interface icons blink during packet transfer and other activity.
If you can't use a NetBIOS name to connect to another computer on the internal network, use an IP address or make sure you have a static name-resolution method. You can use the LMHOSTS file, but using a DHCP server might be a better choice. If you're using a DHCP server on the private network, don't forget to turn off the DHCP allocator.
NAT Is All You Need
NAT will probably become a favorite feature for many Win2K users. NAT is an efficient, simple, reliable, and inexpensive solution to Internet connectivity for branch offices and small networks. NAT is beneficial for several reasons. The ability to use PPTP is a big plus, and the filtering capabilities, port translation, and on-demand dialing are extra bonuses. The ability to add NAT editors in the future makes this service even more attractive. If you've been looking at Proxy Server and third-party solutions, you might want to check out Win2K's NAT server. You might discover that NAT is all you need.Corrections to this Article:
"Windows 2000's Network Address Translation" incorrectly states that to use the DHCP server on your Windows 2000 (Win2K) server instead of enabling the DHCP allocator, select the Automatically assign IP addresses by using DHCP check box. You need to clear that check box.
About the Author
You May Also Like