What Is NAT?
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this section:
NAT Connection Scenarios
How NAT Differs from ICS
Windows Server 2003 provides network address translation (NAT) functionality as a part of the Routing and Remote Access service. NAT enables computers on small- to medium-sized organizations with private networks to access resources on the Internet or other public network. The computers on a private network are configured with reusable private Internet Protocol version 4 (IPv4) addresses; the computers on a public network are configured with globally unique IPv4 (or, rarely at present, Internet Protocol version 6 [IPv6]) addresses. A typical deployment is a small office or home office (SOHO), or a medium-sized business, that uses Routing and Remote Access NAT technology to enable computers on the internal corporate network to connect to resources on the Internet without having to deploy a proxy server.
The following figure is a simplified depiction of the Routing and Remote Access NAT service. When a client on the private network sends a request for information to a computer on the public network, the NAT-enabled router, located at the border between the private and the public networks, translates the outgoing packets and then sends them to the destination computer on the public network. The router also translates the response from the public network resource and returns the response to the client on the local network.
NAT-Enabled Router Translating Request and Response Packets
The Windows Server 2003 Routing and Remote Access implementation of NAT provides the following solutions to problems faced by small- or medium-sized networks:
Reusing IP addresses
Bundling NAT, DHCP, and DNS functionality for small networks
Providing firewall protection to the NAT-enabled router
Providing Internet access to remote access clients
Providing PPPoE broadband Internet access
Reusing IP Addresses
Any computer with a direct (routed) connection to the Internet requires a public IP address from the Internet Assigned Numbers Authority (IANA). IANA allocates public addresses and guarantees them to be globally unique on the Internet. The limited and ever-decreasing availability of public IPv4 addresses is one of the most compelling problems facing the IP Internet. The major long-term solution to the problem of address depletion is the development of IPv6, which introduces a new addressing model that uses 16-byte addresses expressed in colon-hexadecimal notation rather than the familiar four-byte IPv4 addresses typically expressed in dotted-decimal notation. Until the long-term IPv6 solution is widely in use, however, other methods to ensure that IPv4 addresses remain available are urgently required. One temporary solution that reduces the demand for IPv4 addresses is address reuse.
NAT, originally defined in RFC 1631 and extended in RFC 3022, was developed explicitly to provide a method that enabled an unlimited number of organizations to reuse private IPv4 addresses on their networks, thus substantially decreasing the demand for new public IPv4 addresses. This need to decrease the demand for public IPv4 addresses was the initial impetus for the creation of NAT technology.
Private networks can use any range of IP addresses for computers on their internal network. Prior to RFC 1918, published in February 1996, the typical practice was to assign public addresses to all hosts that use TCP/IP whether or not they needed access to the Internet. RFC 1918 describes the three ranges of IPv4 addresses that it recommends that organizations use for private networks. RFC 3022, published in January 2001, recommends that private networks that implement NAT in order to access the Internet use the private address space described in RFC 1918.
The private address space described in RFC 1918 consists of three sets of addresses reserved by IANA for use by private networks. These are:
10.0.0.0 through 10.255.255.255 (or 10.0.0.0/8 in Classless Inter-domain Routing [CDIR] notation)
172.16.0.0 through 172.31.255.255 (or 172.16.0.0/12)
192.168.0.0 through 192.168.255.255 (or 192.168.0.0/16)
IANA has designated these addresses as nonroutable, that is, networks that use these addresses cannot directly connect to the Internet (or other public network) through an Internet router. Instead, they need to access a router that supports NAT so that these nonroutable addresses can be translated into public addresses for routing over the Internet.
Thus, all interfaces connected to a private network with a Routing and Remote Access NAT-enabled router are assigned private IP addresses, including the NAT-enabled router itself, which has a private address on its private interface (LAN card) and one or more public addresses on at least one public interface (demand-dial connection or LAN card). The NAT-enabled router is the conduit through which a private network computer sends a request out to a public network and through which a response is received.
Network Address Port Translation (NAPT), described in RFC 3022, extends address translation by using many-to-one mapping when, as is typically the case, the number of internal addresses is greater than the number of public addresses available on the NAT-enabled router. The NAT-enabled router might have only one public address configured, or it might have a pool of public addresses. Using NAPT, it is possible to map many connections through a single public address by assigning each connection a different port number.
In addition to the conservation of IPv4 addresses, NAT technology provides the following additional incentives to choose reusable private addresses:
Using IPv4 private addresses eliminates the need for an organization to obtain public IPv4 addresses from its ISP. This is an advantage because any organization that uses public addresses that then changes to a different ISP must obtain new public addresses for each computer from the new provider and then reconfigure the network accordingly. With NAT, an organization can use the same private addresses regardless of which ISP provides its Internet access. If such an organization decides to change ISPs, the only reconfiguration required is on the public interface of the NAT-enabled router, which will need a new public address from the new ISP.
Using private IPv4 addresses, for which you incur no cost, is less expensive than buying a block of public IPv4 addresses from an ISP.
Using private IPv4 addresses lets organizations continue to use IPv4 networks rather than migrate their networks to IPv6, a process that can be costly, especially for larger organizations, and that might require equipment upgrades or replacement as well as retraining for network administrators.
For a discussion of public versus private addressing in TCP/IP networks, see “Choosing Public or Private Addresses” in the chapter Designing a TCP/IP Network of the Windows Server 2003 Deployment Kit. For information about IPv6, including IPv6 addressing, see “Introducing IPv6 on Your Network” in the same chapter.
Bundling NAT, DHCP, and DNS for Small Networks
Organizations with small networks often do not need or want to expend resources setting up a full-fledged network infrastructure. For these organizations, the NAT/Basic Firewall component provided by the Windows Server 2003 Routing and Remote Access service supports NAT in conjunction with simplified versions of the Dynamic Host Configuration Protocol (DHCP), and Domain Name System (DNS) services.
The name “NAT/Basic Firewall” indicates only that NAT is configured; it does not necessarily indicate that the optional Basic Firewall feature is also configured. You can configure Basic Firewall at the same time that you install NAT, or you can configure Basic Firewall later. You can deploy NAT with both Basic Firewall and another firewall technology, or you can use NAT with another firewall technology without configuring Basic Firewall. For more information, see “Providing Firewall Protection to the NAT-enabled Router” later in this section.
In addition to the translation component, which translates IP addresses and TCP or UDP port numbers for packets sent between a private network and the Internet, the NAT/Basic Firewall component of the Routing and Remote Access service also provides (optionally) automatic addressing and name-resolution proxying:
DHCP Allocator. The NAT/Basic Firewall automatic addressing capability. If enabled, the DHCP allocator feature allows the NAT-enabled router to act as a simplified DHCP server that automatically assigns to the computers on the private network an IP address, a subnet mask, a default gateway, and the IP address of a DNS server. If multiple routed subnets are configured, you must use a DHCP server rather than the DHCP allocator.
DNS Proxy. The NAT/Basic Firewall automatic name-resolution capability. If enabled, the DNS proxy feature allows the NAT-enabled router to act as a DNS server for the computers on the private network. When the DNS proxy receives a DNS name resolution request, the DNS proxy sends a request to the Internet-based DNS server for which the NAT-enabled router is configured and then provides the results of the response to the private network computer from which the request originated.
For more information about the DHCP allocator and DNS proxy, see “Optional NAT Subsystems” in “How NAT Works”.
Providing Firewall Protection to the NAT-Enabled Router
To computers on a public network, such as the Internet, all requests from a private network that has deployed NAT appear to come from a public IPv4 address on the NAT-enabled router. The private network IPv4 address scheme remains hidden. By using a NAT, the computers on the private network gain some measure of protection because the NAT-enabled router does not forward traffic from the Internet into the private network unless a private network client had requested it or unless specific traffic is explicitly allowed. Although NAT technology lets organizations that implement it hide their private network topology from the Internet behind the NAT-enabled router, the Internet interface (also known as the public interface) of the NAT-enabled router is not hidden from the Internet. Without firewall protection, the Internet interface of the NAT-enabled router is vulnerable to attack.
The Windows Server 2003 Routing and Remote Access NAT component includes a simple stateful firewall called Basic Firewall, which uses technology similar to that used by the Internet Connection Firewall (ICF) feature available in Windows XP, Windows XP SP1, and Windows Server 2003. A stateful firewall uses dynamic packet filtering to examine incoming and outgoing packets. This new integration of Routing and Remote Access NAT with Basic Firewall lets network administrators protect the Internet interface of any computer running a member of the Windows Server 2003 family that is acting as a NAT. By enabling the optional Basic Firewall feature on the Internet interface (or multiple public interfaces) of the NAT-enabled router, an administrator ensures that all packets that are received on the public interface that do not correspond to traffic requested by the NAT computer (either for itself or for private network clients), or that are explicitly allowed, are discarded.
For more information about Basic Firewall, see the “Optional NAT Subsystems” section in “How NAT Works”.
Providing Internet Access to Remote Access Clients
A computer running a member of the Windows 2000 Server family might be configured to provide remote access to its private network — for traveling employees or employees working from home, for example. The same server might also be configured as a NAT-enabled router to provide access to the Internet for computers within the private network.
Although you cannot configure a computer running Windows 2000 Server to provide Internet access to connected remote access clients by using the Routing and Remote Access snap-in, you can do so by using the command-line Netsh tool. You can use a Netsh command to add the Internal interface, which is a logical interface that represents the connection to all remote access clients, as a private interface to the NAT/Basic Firewall component of the Routing and Remote Access service. This configuration allows connected remote access clients to access the Internet.
Computers running a member of the Windows Server 2003 family now allow you to use the Routing and Remote Access snap-in to add the Internal interface as a private interface to the NAT/Basic Firewall component to enable connected remote access clients to access the Internet. With Windows Server 2003, you can also still use Netsh to accomplish the same task.
When you enable the Routing and Remote Access service on a computer running Windows Server 2003, an interface named Internal appears under Routing Interfaces in the Routing and Remote Access snap-in. Do not delete the Internal interface.
Providing PPPoE Broadband Internet Access
The number of multiple-computer households is increasing at a rapid rate. One efficient option for such households, as well as small businesses, is to use Point-to-Point Protocol over Ethernet (PPPoE) to establish a single broadband connection (such as through a DSL line or cable modem) to an ISP. PPPoE makes high-speed Internet access available to all the computers in the home or small office.
The Windows Server 2003 Routing and Remote Access service introduces the use of PPPoE as a connection type for demand-dial connections. This functionality enables a home or small business to use a NAT-enabled router and the PPPoE broadband Internet connection to connect their private network to the Internet.
NAT Connection Scenarios
Scenarios in which you might deploy Windows Server 2003 Routing and Remote Access NAT include connecting a business or home to the Internet, or using NAT on one side of two connected geographically remote offices.
Connecting a Business or Home to the Internet
In a typical deployment that uses Windows Server 2003 Routing and Remote Access NAT, a small- or medium-sized business (or home office) assigns private IPv4 addresses to its computers and installs a Routing and Remote Access NAT-enabled router. The computers on the private network cannot gain access to the Internet directly because they have reusable private addresses. Instead, they gain access to the Internet through the NAT-enabled router.
The NAT-enabled router has both a private interface and a public interface, the public IPv4 address of the latter provided by a local ISP. When a client computer sends a request out to a resource on the Internet, the request is sent initially to the NAT-enabled router, which translates the request packets, forwards them to the Internet resource, accepts responses from the Internet resource, re-translates the packets, and then returns the response to the client.
Another example in which NAT technology can provide access to the Internet is the case of a small ISP that serves home users who have dial-up connections. In this case, the NAT-enabled router is located at the ISP. Whenever the customer dials in, the ISP assigns a private IPv4 address to the customer’s computer. When the customer requests access to a server on the Internet, the NAT-enabled router at the ISP translates the outgoing request and, later, the incoming response.
Using NAT on One Side of Two Remote Offices
Another deployment option is to use NAT on one side (typically, the smaller office) of a connection that links offices in different geographical locations. The Windows Server 2003 Routing and Remote Access service provides two types of virtual private network (VPN) site-to-site connections. The following table describes the circumstances in which you can use a NAT in conjunction with a VPN connection.
Locating a Network Using a VPN Behind a NAT
|Type of VPN Site-to-Site Connection||Can You Use NAT?||Description|
In most cases, you can locate PPTP–based calling routers behind a NAT-enabled router (or configure one computer as both the calling router and the NAT-enabled router) in order to allow computers with private addresses in a SOHO network to share a single connection to the Internet. With a VPN connection, the site-to-site connection from the small office to the main office is “tunneled” through the Internet. Windows Server 2003 Routing and Remote Access NAT includes a NAT editor that can accurately translate PPTP-tunneled data.
Yes, but only if you use the IPSec NAT Traversal (NAT-T) feature
With Windows Server 2003–based calling or answering routers, you can use the IPSec feature called NAT traversal (NAT-T) to create L2TP/IPSec connections across NATs. Using NAT-T requires running Windows Server 2003 on both the calling and answering routers (or appropriately configured Cisco routers). With NAT-T, computers with private addresses that are hidden behind a NAT can use IPSec to connect to a remote site if these computers have the NAT-T update installed (for computers running Windows XP Professional SP1). No NAT editor exists for L2TP/IPSec, so the only way to use NAT is by implementing IPSec NAT-T.
For more information about site-to-site VPN connections, see the chapter “Connecting Remote Sites” in the Networking collection of the “Windows Server 2003 Deployment Kit”.
For more information about IPSec NAT-T, see “End-to-End Traffic Through an ISA-Secured Network Address Translator” in “What Is IPSec?” in the Security collection of this technical reference.
For more information about NAT editors provided by the Routing and Remote Access service, see “How NAT Works” in the Networking collection of this technical reference.
How NAT Differs from ICS
Internet Connection Sharing (ICS) provides a network translation capability that is an alternative option to that provided by Routing and Remote Access NAT. ICS, which is typically used by networks that have two to 10 computers, is provided by Network Connections on Windows XP as well as on Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition. Because ICS and Routing and Remote Access NAT share common drivers, they cannot coexist on the same network.
With ICS, as with Routing and Remote Access NAT, you can connect computers on a SOHO network to the Internet by using just one connection. Although configuring Routing and Remote Access NAT is simple, configuring ICS is simpler — a single configuration step (selecting a single check box) provides a translated connection to the Internet for all of the computers on a single-subnet private network.
ICS and Routing and Remote Access NAT share the following features:
Address translation. Both ICS and Routing and Remote Access NAT translate inbound and outbound IPv4 traffic by modifying IPv4 addresses and ports.
Public and private interfaces on the computer that connects to the network. Both ICS and Routing and Remote Access NAT require two interfaces on the computer that provides address translation in order to work: one public and one private. The private interface, typically a LAN adapter or the Internal interface, connects the ICS or Routing and Remote Access NAT computer to the computers on the private network. The public interface, typically a DSL, cable, or dial-up modem, connects the private network to the Internet.
Firewall protecting the Internet interface. Windows XP, Windows XP SP1, and Windows Server 2003 include ICF and Windows Server 2003 Routing and Remote Access NAT includes Basic Firewall, to protect the public interface of the workstation, server, or NAT router that provides Internet access to the other computers on the private network.
DHCP Allocator. Both ICS and (optionally) Routing and Remote Access NAT can use this simplified DHCP service, which assigns the IP address, subnet mask, default gateway, and DNS server on the private network.
DNS Proxy. Both ICS and (optionally) Routing Remote Access NAT can use this simplified DNS service, which resolves DNS names on behalf of private network clients and forwards queries.
The most significant differences between Routing and Remote Access NAT and ICS NAT are the following:
SOHO or larger network. ICS is designed specifically for SOHO networks. Routing and Remote Access NAT scales from homes or small organizations to medium-sized networks.
Computer connection to the Internet. With ICS, the connection to the Internet is managed most often by a Windows XP workstation, although you can also configure ICS on a computer running Windows 2000 Server or Windows Server 2003. With Routing and Remote Access NAT, the connection to the Internet or other public network is managed by a NAT-enabled router running the Windows Server 2003 or Windows 2000 Server Routing and Remote Access service.
Configuration limits. ICS allocates addresses for internal hosts automatically from an address range that is not configurable (192.168.0.0/24) and supports only one public interface obtained from an ISP through which network computers can access the Internet. Routing and Remote Access NAT lets you access the Internet (or other public network) through multiple interfaces and lets you choose your own addressing scheme.
DNS and DHCP configuration. DNS and DHCP configuration are similar, but not identical, for ICS and Routing and Remote access NAT:
ICS NAT. Typically, ICS is used in a network with two to 10 computers. Because a network this small might not have DNS servers or DHCP servers, ICS provides the DHCP allocator and the DNS proxy to provide automatic address configuration and name resolution for private network hosts. If, however, a DHCP server is deployed on a network that uses ICS, the ICS DHCP allocator yields to the DHCP server. Similarly, if the Microsoft DNS service is installed on the same computer as the DNS proxy, the ICS DNS proxy yields to the DNS server. On a private network that uses ICS, if a DNS server is deployed on a separate computer than the computer on which ICS is installed, either a DHCP server must also be installed on a different computer than the computer on which ICS is installed, or all clients on the private network must be manually configured with the IP address of the DNS server.
Routing and Remote Access NAT. Typically, Routing and Remote Access NAT is used in any network from small to medium in size. Routing and Remote Access NAT also provides the DHCP allocator and the DNS proxy for use in smaller networks that do not install a DNS server or a DHCP server. If a network that uses Routing and Remote Access NAT has a DHCP server in place, do not enable (or disable, if necessary) the DHCP allocator on the Routing and Remote Access NAT-enabled router. The DNS proxy can work in conjunction with a DNS server. For more information about how the DHCP allocator and the DNS proxy work in Routing and Remote Access NAT, see “Optional NAT Subsystems” in “How NAT Works.”
Number of network segments. ICS supports only a single private subnet. Routing and Remote Access NAT can support multiple private subnets. A network with multiple subnets must use a DHCP server rather than the DHCP allocator.
For more information about ICS and NAT, see Internet Connection Sharing and network address translation in Help and Support Center for Windows Server 2003 and Internet Connection Sharing Overview.
For more information about NAT, see the following RFCs in the IETF RFC Database:
RFC 1631, “The IP Network Address Translator.”
RFC 3022, “Traditional IP Network Address Translator (Traditional NAT).”
RFC 1918, “Address Allocation for Private Internets.”
RFC 2663, “IP Network Address Translator (NAT) Terminology and Considerations.”
The following resources contain additional information that is relevant to this section:
“Choosing Public or Private Addresses” and “Introducing IPv6 on Your Network” in the chapter Designing a TCP/IP Network of the Windows Server 2003 Deployment Kit.
“Connecting Remote Sites” in the Windows Server 2003 Deployment Kit.
“End-to-End Traffic Through an ISA-Secured Network Address Translator” in “What Is IPSec?”
“Network Address Translation (NAT)” in Internetworking with TCP/IP, Vol. 1: Principles, Protocols, and Architecture, Fourth Edition, by Douglas E. Comer, Prentice Hall, New Jersey, 2000.