NAT Network Address Translation

Because private IP addresses are private, different organizations can use the same IPaddress. Of course, this means that private IP addresses aren’t routable on the publicInternet hence the need for NAT.

IPv6 and NATBecause of the larger address space and improved private addressing design, IPv6 does not require NAT. Therefore, this lesson applies only to IPv4 networks.

Network Address Translation (NAT) allows one computer (or another type of network host,such as a router) with a public IP address to provide Internet access to hundreds or thousands of hosts on an internal network. The hosts on the internal network must have private IP addresses (as defined in Request for Comments [RFC] 1918) in one of the following address ranges:

192.168.0.0–192.168.255.255172.16.0.0–172.31.255.25510.0.0.0–10.255.255.255

Internet Connection Sharing

Internet Connection Sharing (ICS) is a feature that permits you to use Windows Server 2008 to connect a small office network or home network over the Internet. The ICS computer has a public IP address (or an IP address that provides access to a remote network) on the external network interface. The internal network interface always has the IP address 192.168.0.1. Enabling ICS automatically enables a DHCP service that assigns clients IP addresses in the range 192.168.0.0/24. This DHCP service is not compatible with either the DHCP Server role nor the DHCP relay agent feature of Routing And Remote Access.

To configure NAT using Internet Connection Sharing

Start with the computer that will share the Internet connection. First set up your Internet connection, and then use the Network Setup Wizard to configure the computer

Configure the NAT server with two interfaces:An interface connected to the Internet, with a public Internet IP addressAn interface connected to your private intranet, with a static, private IP address

Go to Start > Settings > Control Panel > Network and Sharing Center, then click Manage Network Connections in the Task pane.

Right-click the network interface that connects to the Internet, and then click Properties.

Click the Sharing tab and select the Allow Other Network Users To Connect ThroughThis Computer’s Internet Connection check box.

If you want users on the Internet to access any servers on your intranet (such as a Webor e-mail server that has only a private IP address), click the Settings button. For eachinternal service, follow these steps:

If the service appears in the Services list, select its check box. In the Service Settingsdialog box, type the internal name or IP address of the server and click OK.

If the service does not appear on the list or if it uses a nonstandard port number, click Add. Type a description for the service and the internal name or IP address of the server. Then, in both the External Port Number For This Service and Internal Port Number For This Service boxes, type the port number used by the server.Select either TCP or UDP, and then click OK.

Enabling ICS does not change the configuration of the Internet network interface, but it doesassign the IP address 192.168.0.1 to the intranet network interface. Additionally, the computer will now respond to DHCP requests on the intranet interface only and assign clients IP addresses in the range 192.168.0.0/24. All clients will have 192.168.0.1 (the private IP address of the ICS computer) as both their default gateway and the preferred DNS server address.

You can also share a VPN or dial-up connection. This allows a single computer to connect toa remote network and to forward traffic from other computers on the intranet. To enable ICSfor a remote access connection.

Click the Sharing tab. Then, select the Allow Other Network Users To Connect Through This Computer’s Internet Connection check box.

Optionally, select the Establish A Dial-Up Connection Whenever A Computer On MyNetwork Attempts To Access The Internet check box. This automatically establishes aremote access connection if a computer on the intranet sends any traffic that would needto be forwarded to the remote network.

Network Address Translation Using Routing and Remote Access

Using Routing And Remote Access, you can enable full-featured NAT capabilities. The specific reasons to use Routing and Remote Access instead of ICS include:

You can use internal networks other than 192.168.0.0/24.You can route to multiple internal networks.You can use a different DHCP server, including the DHCP Server role built into WindowsServer 2008.ICS cannot be enabled on a computer that uses any Routing and Remote Access component, including a DHCP relay agent.

Enabling NAT

Configure the NAT server with two interfaces:An interface connected to the Internet, with a public Internet IP addressAn interface connected to your private intranet, with a static, private IP address

Click on Start, Administrative Tools, Routing and Remote Access

When the Routing and Remote Access MMC starts you will notice that the server has a red down arrow showing that it is currently offline. Right click on the server and select configure and Enable Routing and Remote access.

On the Welcome To The Routing And Remote Access Server Setup Wizard, click Next.On the Configuration page, select Network Address Translation (NAT), and click Next.

On the VPN Connection page, select the NIC in the Network interfaces section that represents the external interface of the VPN server. Then click Next.

On the IP Address Assignment page, select the Automatically option. We can select this option because we have a DHCP server installed on the domain controller behind the VPN server. If you did not have a DHCP server, then you would have to select the From a specified range of addresses option and then provide a list of addresses that VPN clients could use when connecting to the network through the VPN gateway. Click Next.

On the Managing Multiple Remote Access Servers page, select the No, use Routing and Remote Access to authenticate connection requests. This is the option we use when there is no NPS or RADIUS server available. Since the VPN server is a member of the domain, you can authenticate users using domain accounts.

Read the summary information on the Completing the Routing and Remote Access Server Setup Wizard page and click Finish.

If NAT has already been setup to configure it on an interface

1. In the left pane of the Server Manager, expand the Routing and Remote Access node2. Expand the IPv4 node.3. Click on the NAT node.4. In the NAT node, right click on the external network server that you wish to enable NAT on.5. Click Properties and select NAT and click OK,

Selecting the NAT node in the RRAS console shows that three network interfaces were created when NAT was configured on the server using the Routing and Remote Access Server Setup Wizard.

The Properties of Local Area Connection

Note that NAT considers this network the "private" network, that is, the network "behind" the NAT router:

The Properties of Local Area Connection 2, Note that NAT considers this network the "public" network, that is, the network "in front of" (on the Internet side of) the NAT router:

Enabling DHCPWhen you enable NAT, you can use any DHCP server. Typically, if you want to use a Windows Server 2008 computer as a DHCP server, you should add the DHCP Server role, this provides a very full-featured DHCP server.

NAT does include a very limited, but functional, DHCP server capable of providing IP address configuration to DHCP clients on a single subnet.

To configure the NAT DHCP server

In Server Manager, right-click Roles\Network Policy And Access Services\Routing AndRemote Access\IPv4\NAT, and then choose Properties.

In the Address Assignment tab, select the Automatically Assign IP Addresses By UsingThe DHCP Allocator check box

Type the private network address and subnet mask.

If you need to exclude specific addresses that are statically assigned to existing servers(other than the NAT server’s private IP address), click the Exclude button and use theExclude Reserved Addresses dialog box to list the addresses that will not be assigned toDHCP clients. Click OK.

Enabling Forwarding of DNS RequestsTo connect to the Internet, NAT clients need to be able to resolve DNS requests. You can provide this using the DNS Server role.

For small networks not requiring a DNS server, you can configure NAT to forward DNSrequests to the DNS server configured on the NAT server. Typically, this is the DNS server at your ISP.

In Server Manager, right-click Roles\Network Policy and Access Services\Routing andRemote Access\IPv4\NAT, and then choose Properties.

In the Name Resolution tab, select the Clients Using Domain Name System (DNS) checkbox.

If the NAT server must connect to a VPN or dial-up connection for network access, selectthe Connect To The Public Network When A Name Needs To Be Resolved check box,and then select the appropriate demand-dial interface.Click OK.

Configuring Client Computers

For computers on the same LAN as the NAT server’s intranet interface, configure thedefault gateway as the NAT server’s intranet IP address.

For other intranet LANs, configure routers to forward traffic destined for the Internet tothe NAT server’s intranet IP address.

Ensure that all clients can resolve Internet DNS names.

View NAT Mapping Statistics

Click on the NAT node in the left pane of the console. In the right pane of the console, right click Internet and click Show Mappings. Here you will find some interesting and helpful information about mappings used on the Internet Interface for forward and reverse NAT connections. You also can see in the right pane of the console and number of statistics, such as Total mappings, Inbound packets translated, and others.