The Cable Guy - March 2001
Windows 2000 Network Address Translator (NAT)
A network address translator (NAT) is an IP router defined in RFC 1631 that can translate the IP addresses and TCP/UDP port numbers of packets as they are forwarded. For example, consider a small business network with multiple computers that connect to the Internet. This business would normally have to obtain a public IP address for each computer on the network from an Internet service provider (ISP). With a NAT, however, the small business can use private addressing (as described in RFC 1918) and have the NAT map its private addresses to a single or to multiple public IP addresses.
Why use NAT
NAT is a good solution for the following combination of requirements:
- You want to leverage the use of a single connection, rather than connecting multiple computers, to the Internet.
- You want to use private addressing.
- You want access to Internet resources without having to deploy a proxy server.
How network address translation works
If a small business is using the 192.168.0.0 private network ID for its intranet and has been allocated a single public IP address by its ISP, the NAT maps all private IP addresses used on network 192.168.0.0 to the public IP address.
When a private user on the small business intranet connects to an Internet resource, the user's TCP/IP protocol creates an IP packet with the following values set in the IP and TCP or UDP headers (bold text indicates the fields that are affected by the NAT):
- Destination IP Address: Internet resource IP address
- Source IP Address: Private IP address
- Destination Port: Internet resource TCP or UDP port
- Source Port: Source application TCP or UDP port
The source host or another router forwards this IP packet to the NAT, which translates the addresses of the outgoing packet as follows:
- Destination IP Address: Internet resource IP address
- Source IP Address: ISP-allocated public address
- Destination Port: Internet resource TCP or UDP port
- Source Port: Remapped source application TCP or UDP port
The NAT sends the remapped IP packet over the Internet. The responding computer sends back a response to the NAT. When it is received by the NAT, the packet contains the following addressing information:
- Destination IP Address: ISP-allocated public address
- Source IP Address: Internet resource IP address
- Destination Port: Remapped source application TCP or UDP port
- Source Port: Internet resource TCP or UDP port
When the NAT maps and translates the addresses, and forwards the packet to the intranet client, it contains the following addressing information:
- Destination IP Address: Private IP address
- Source IP Address: Internet resource IP address
- Destination Port: Source application TCP or UDP port
- Source Port: Internet resource TCP or UDP port
For outgoing packets, the source IP address and TCP/UDP port numbers are mapped to a public source IP address and a possibly changed TCP/UDP port number. For incoming packets, the destination IP address and TCP/UDP port numbers are mapped to the private IP address and original TCP/UDP port number.
The mappings for private to public traffic are stored in a NAT translation table, which can contain two types of entries:
Dynamic mappings
Created when communications to Internet locations are initiated by private network clients. Dynamic mappings are removed from the NAT translation table after a specified amount of time.
Static mappings
Configured manually so that communications initiated by Internet clients can be mapped to a specific private network address and port. Static mappings are needed when there are servers (for example, Web servers) or applications (for example, games) on the private network that you want to make available to computers that are connected to the Internet. Static mappings are not removed from the NAT translation table.
The NAT only forwards traffic from the Internet to the private network if a mapping exists in the NAT translation table. In this way, the NAT provides a level of protection for computers that are connected to private network segments. However, a NAT should not be used in place of a fully-featured firewall when Internet security is a concern.
Limitations of NAT
Typical network address translation relies on the translation of:
- The IP addresses in the IP header.
- The TCP port numbers in the TCP header.
- The UDP port numbers in the UDP header.
Beyond these three items, additional translation requires processing by software components called NAT editors. For example, HyperText Transfer Protocol (HTTP) traffic that is used to access Web servers does not require a NAT editor because HTTP traffic requires only the translation of the IP address in the IP header and the TCP port in the TCP header.
NAT editors are required in the following instances:
An IP address, TCP port, or UDP port is stored in the payload.
For example, File Transfer Protocol (FTP) stores the dotted decimal representation of IP addresses in the FTP header for the FTP port command. If the NAT does not properly translate the IP address within the FTP header and adjust TCP sequencing, connectivity problems might occur.
TCP or UDP is not being used to identify the data stream.
For example, data that is tunneled with the Point-to-Point Tunneling Protocol (PPTP) does not use a TCP or UDP header. Instead, a Generic Routing Encapsulation (GRE) header is used and the Tunnel ID, which is stored in the GRE header, identifies the data stream. If the NAT does not properly translate the Tunnel ID within the GRE header, connectivity problems might occur.
Windows 2000 NAT includes editors for FTP, Internet Control Message Protocol (ICMP), and PPTP. Because IP Security (IPSec) traffic is not translatable, even with an editor, private network computers cannot use L2TP/IPSec to make VPN connections to VPN servers on the Internet.
Windows 2000 NAT
Windows 2000 NAT is installed as an IP routing protocol component of the Routing and Remote Access service provided with Windows 2000 Server. You can use the Routing and Remote Access Server Setup Wizard or install it separately as the Network Address Translation (NAT) IP routing protocol component. Windows 2000 NAT is designed primarily for home networks and small to medium-sized organizations.
Windows 2000 NAT consists of the following components:
NAT translation component
Translates packets between private networks and the Internet. The NAT translation component is enabled by default.
DHCP allocator addressing component
Provides IP address configuration information for the private network computers. The DHCP allocator is a simplified DHCP server that allocates an IP address, a subnet mask, a default gateway, and the IP address of a DNS server. You must configure computers on the private network as DHCP clients in order to automatically receive the IP configuration. The DHCP allocator is disabled by default.
DNS proxy name-resolution component
Acts as a DNS server for the other private network computers. When the DNS proxy receives name resolution requests, it forwards them to the Internet-based DNS server for which it is configured and returns the responses to the private network computer. The DNS proxy is disabled by default.
Network address translation (NAT) protocol settings
After the Network Address Translation (NAT) routing protocol component is installed, you can use its properties to:
- Set the frequency in which dynamic mappings for TCP and UDP traffic are removed from the NAT translation table (Translation tab).
- Specify Internet applications that respond on ports other than the port of the initial connection request (Translation tab).
- Enable the DHCP allocator and configure both the private address range and any exclusions (Address Assignment tab).
- Enable the DNS proxy and specify a demand-dial interface (Name Resolution tab).
Public and private interfaces
Interfaces that are added to the NAT routing protocol component must be designated as either a public interface (a single interface connected to the Internet and assigned a public address) or a private interface (an interface connected to a private network segment that uses private addresses).
When you have multiple private interfaces, you should not enable the DHCP allocator. If you do, DHCP-based private computers on separate network segments can communicate with Internet resources, but not with each other.
Public interface settings
On the public interface, you can configure the following settings to specify:
- Whether to translate TCP and UDP headers (General tab).
- The public address pool assigned by your ISP (if you have more than one public IP address) and any reserved public addresses (Address Pool tab)
- Static NAT translation table mappings that allow traffic initiated from Internet computers (Special Ports tab)
Windows 2000 NAT and Internet Connection Sharing
Windows 2000 includes a simplified version of a NAT named Internet Connection Sharing (ICS). ICS can be enabled on the Sharing tab in the properties of a connection in Network and Dial-up Connections. The most significant differences between NAT and ICS are the following:
- ICS does not allow any configuration beyond specifying a dial-up connection to use and configuring Internet applications that respond on ports other than the port of the initial connection request. Neither the ICS DHCP allocator nor DNS proxy can be disabled. Therefore, you cannot use ICS in an Active Directory environment or where standalone DHCP servers are used.
- ICS supports only a single private network segment, while NAT supports multiple private network segments.
Setting up Windows 2000 NAT
To run the Routing and Remote Access Server Setup wizard to configure your Windows 2000 NAT:
- Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
- Right-click your server name, and then click Configure and Enable Routing and Remote Access.
- In Common Configurations, click Internet connection server, and then click Next.
- In Internet Connection Server Setup, click Set up a router with the Network Address Translation (NAT) routing protocol, and then click Next.
- In Internet Connection, click Use the selected Internet connection.
- Click the interface that is connected to the Internet (the public interface), and then click Next.
- Click Finish.
- To enable the DHCP allocator, right-click the Network Address Translation (NAT) IP routing protocol, and then click Properties. Click the Address Assignment tab, and then click Automatically assign IP addresses by using the DHCP allocator.
- To enable the DNS proxy, click the Name Resolution tab, and then click Clients using the Domain Name System (DNS).
For More Information
For more information about Windows 2000 NAT technology, design, and deployment, including examples, consult the following resources:
- Windows 2000 Server Documentation (Networking\Routing and Remote Access)
- Windows 2000 Server Resource Kit Books, Internetworking Guide (Chapter 3: Unicast IP Routing)
- Microsoft Knowledge Base Search (Query the Windows 2000 product on "Windows 2000 NAT")
For a list of all The Cable Guy articles, click here.