The Cable Guy - May 2003
Configuring Access to Services Behind a Network Address Translator (NAT)
A Network Address Translator (NAT) is an IP router defined in RFCs 1631 and 2663 that can translate the IP addresses and TCP/UDP port numbers of packets as they are forwarded. For outgoing packets, the source IP address and TCP/UDP port numbers are mapped to a public source IP address and a possibly changed TCP/UDP port number. For incoming packets, the destination IP address and TCP/UDP port numbers are mapped to the private IP address and original TCP/UDP port number.
The NAT only forwards traffic from the Internet to the private network if a specific mapping exists in the NAT's translation table. Because of this, the NAT provides a level of protection for computers that are connected to private network segments. However, this level of protection also creates a connectivity problem when you want to make private network resources available to Internet clients.
For example, suppose that you set up a Web server on your private network that is bordered by a NAT and had your ISP create a Domain Name System (DNS) record that resolves www.example.com to the public IP address (154.160.0.1) assigned to you by your ISP. When an Internet Web client initiates communication with your Web server on the private network, the following happens:
- The user on the Internet Web client computer (using the public IP address 131.107.0.1) types https://www.example.com in their Web browser.
- The Internet Web client uses DNS to resolve the name www.example.com to the address 154.60.0.1.
- The Internet Web client computer sends a Transmission Control Protocol (TCP) Synchronize (SYN) segment from 131.107.0.1/TCP port 2000 to 154.60.0.1/TCP port 80.
- When the NAT computer receives the TCP SYN segment, it checks its NAT translation table.
- Because there is no entry for destination 154.60.0.1/TCP 80, the TCP SYN segment is silently discarded.
- The Internet Web client computer retries until it finally displays an error message.
Because there is no NAT mapping for inbound traffic, resources on servers that are located behind NATs cannot be accessed from the Internet.
The solution for this connectivity issue is a manually configured, static mapping for the inbound traffic from the Internet that gets translated to the traffic destined for the resource server behind the NAT. To facilitate the forwarding of inbound traffic to a resource server on the private network, you can configure one of two types of static mappings:
You can map all traffic for a specific public IP address to a specific private address (an address mapping).
The advantage to this type of mapping is the ease of configuration. Because all traffic to the public IP address is forwarded, you do not have to determine the types of traffic in terms of TCP and UDP ports for the services that are running on the private network computer.
The disadvantage is that the private network computer is now directly exposed to the Internet and more susceptible to attack. You can use Internet Connection Firewall with Windows XP or other firewall software to help protect it. Another disadvantage is that you must obtain more than one public IP address. At least two public addresses are required: one for the resource server and one for the translated traffic of your other private network computers.
Map a specific public IP address/port number to a specific private IP address/port number (an address/port mapping)
The advantage to this type of static mapping is that the resource server is less vulnerable to attack, except through the traffic allowed by the static address/port mappings. Another advantage is that you need only one public IP address for both the traffic sent to the resource server and the translated traffic for private network computers.
The disadvantage is that there is additional configuration required. You have to create static mappings to each of the services on the resource server that you want to make available from the Internet.
How to Allow Traffic for Services Located Behind the NAT Computer
Before you configure the NAT computer, ensure that your ISP has created a DNS record that resolves the DNS name to the public IP address associated with the resource server.
The configuration to allow traffic to the resource server depends on whether you are using Windows 2000 Server or Windows Server 2003™, and whether you are configuring an address mapping or an address/port mapping.
Windows 2000 Server
Before you configure the Windows 2000 Server-based NAT computer, you must configure a static IP address configuration on the resource server, including IP address, subnet mask, default gateway (the private IP address of the NAT computer), and DNS server (also the private IP address of the NAT computer).
If the NAT computer is acting as a DHCP allocator for the subnet to which the private computers are attached, then the private IP address and subnet mask must be within the range of IP addresses that are allocated by the NAT computer. This is defined on the Address Assignment tab of the Network Address Translation (NAT) Properties dialog box in the Routing and Remote Access snap-in. Additionally, the IP address assigned to the resource computer must be excluded from the range of IP addresses that are allocated by the NAT computer. To do this, click Exclude on the Address Assignment tab.
Address mapping
To configure a NAT computer running Windows 2000 Server with an address mapping, complete the following steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
- In the console tree, open ServerName, then IP Routing, and then click Network Address Translation (NAT).
- In the details pane, right-click your public interface, and then click Properties.
- Click the Address Pool tab.
- If you have already configured the ranges of IP addresses for the public IP address that is assigned to you by your Internet service provider (ISP), go to step 10.
- Click Add.
- In Add Address Pool, type the starting IP address, the subnet mask, and the ending IP address for a range of contiguous public IP addresses.
- Click OK.
- Repeat steps 6 through 8 for all of the ranges that correspond to your public IP addresses.
- Click Reservations.
- In Reserve Addresses, click Add.
- In Add Reservation, type the public IP address that corresponds to the resource server in Reserve the public IP address, type the private IP address of the resource server in For this computer on the private network, and select Allow incoming sessions to this address.
- Click OK to add the address mapping.
- Click OK to save changes to address reservations.
- Click OK to save changes to the public interface.
Address/port mapping
To configure a NAT computer running Windows 2000 Server with an address/port mapping, complete the following steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
- In the console tree, open ServerName, IP Routing, and then click Network Address Translation (NAT).
- In the details pane, right-click your public interface, and then click Properties.
- On the Special Ports tab, select TCP or UDP in Protocol, and then click Add.
- In Add Special Port, configure the following:
- In Public address, select either On this interface (if the traffic to the resource server is sent to the public address of the public interface) or On this address pool entry (if the resource server is using a reserved public address). If you select On this address pool entry, type the reserved public address.
- In Incoming port, type the TCP or UDP destination port number for traffic inbound from the Internet that is destined for the resource server. For example, if the resource server is a Web server, you would type 80 (for TCP port 80, the default Web server TCP port).
- In Private address, type the static private IP address of the resource server.
- In Outgoing port, type the TCP or UDP destination port number for traffic forwarded by the NAT computer to the resource server. For example, if the resource server is a Web server, you would type 80 (for TCP port 80, the default Web server port). This value is usually the same as the Incoming port value.
- Click OK to add the special port mapping.
- Click OK to save changes to the public interface.
The following figure shows the Add Special Port dialog box for a resource server that is acting as a Web server and using the private IP address of 192.168.0.99. For this example, the NAT computer has only a single public IP address. Because of this, the On this address pool entry option is not available.
The following figure shows the traffic to the resource server and its relation to the fields in the Add Special Port dialog box.
If your browser does not support inline frames, click here to view on a separate page.
Windows Server 2003
Before you configure the Windows Server 2003-based NAT computer, you must create a static IP address configuration on the resource server, including IP address, subnet mask, default gateway (the private IP address of the NAT computer), and DNS server (also the private IP address of the NAT computer).
If the NAT computer is acting as a DHCP allocator for the subnet to which the private computers are attached, then the IP address and subnet mask must be within the range of IP addresses allocated by the NAT computer. This is defined on the Address Assignment tab of the NAT/Basic Firewall Properties dialog box in the Routing and Remote Access snap-in. Additionally, the IP address assigned to the resource computer must be excluded from the range of IP addresses that are allocated by the NAT computer. To do this, click Exclude on the Address Assignment tab.
Address mapping
To configure a NAT computer running Windows Server 2003 with an address mapping, complete the same steps described in the previous address mapping section. Instead, however, for step 2 you must open ServerName, then IP Routing, and then click NAT/Basic Firewall (instead of Network Address Translation (NAT)).
Address/port mapping
To configure a NAT computer running Windows Server 2003 with an address/port mapping, complete the following steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
- In the console tree, open ServerName, then IP Routing, and then click NAT/Basic Firewall.
- In the details pane, right-click your public interface, and then click Properties.
- On the Services and Port tab, in the Services list, locate a predefined service that matches that of the resource server.
- If a matching service exists, click the service checkbox to enable the mapping and select either On this interface or On this address pool entry. If you select On this address pool entry, type the reserved public address, type the private address of the resource server in Private address, and then go to step 8.
- If a matching service does not exist, click Add.
- In the Add Service dialog box, configure the following:
- In Description of Service, type a description for the service you are configuring.
- In Public address, select either On this interface (if the traffic to the resource server is sent to the public address of the public interface) or On this address pool entry (if the resource server is using a reserved public address). If you select On this address pool entry, type the reserved public address.
- In Protocol, select either TCP or UDP.
- In Incoming port, type the TCP or UDP destination port number for traffic inbound from the Internet that is destined for the resource server.
- In Private address, type the static private address of the resource server.
- In Outgoing port, type the TCP or UDP destination port number for traffic forwarded by the NAT computer to the resource server.
- Click OK to save the service configuration.
- Click OK to save changes to the public interface.
For More Information
For more information about NAT for Windows 2000 Server or Windows Server 2003, consult the following resources:
- Windows Server 2003 Product Documentation
- Windows 2000 Server Product Documentation (Networking\Routing and Remote Access)
- Windows 2000 Server Resource Kit
- Windows 2000 Network Address Translator (NAT) (March 2001 The Cable Guy column)
For a list of all The Cable Guy articles, click here.