Share via


VPN and NAT Example

Applies To: Windows Server 2008, Windows Server 2008 R2

If a small business is using the 192.168.0.0 network ID for its intranet and has been granted a public address of w1.x1.y1.z1 by its Internet service provider (ISP), then network address translation (NAT) maps all private addresses on the network 192.168.0.0 to the IP address of w1.x1.y1.z1. If multiple private addresses are mapped to a single public address, NAT uses dynamically chosen TCP and UDP ports to distinguish one intranet location from another.

Note

The use of w1.x1.y1.z1 and w2.x2.y2.z2 is intended to represent valid public IP addresses as allocated by the Internet Assigned Numbers Authority (IANA) or an ISP.

The following illustration shows an example of the use of NAT to transparently connect an intranet to the Internet.

If a private user at 192.168.0.10 behind a NAT device uses a Web browser to connect to the Web server at w2.x2.y2.z2, the user's computer creates an IP packet with the following information:

  • Destination IP address: w2.x2.y2.z2

  • Destination port: TCP port 80

  • Source IP address: 192.168.0.10

  • Source port: TCP port 1025

This IP packet is then forwarded to the NAT device, which translates the addresses of the outgoing packet to the following:

  • Destination IP address: w2.x2.y2.z2

  • Destination port: TCP port 80

  • Source IP address: w1.x1.y1.z1

  • Source port: TCP port 5000

The NAT protocol keeps the mapping of {192.168.0.10, TCP 1025} to {w1.x1.y1.z1, TCP 5000} in a table in memory.

The translated IP packet is sent over the Internet. The response is sent back and received by the NAT device. When received, the packet contains the following public address information:

  • Destination IP address: w1.x1.y1.z1

  • Destination port: TCP port 5000

  • Source IP address: w2.x2.y2.z2

  • Source port: TCP port 80

The NAT protocol checks its translation table and maps the public address back to a private address and forwards the packet to the computer at 192.168.0.10. The forwarded packet contains the following address information:

  • Destination IP address: 192.168.0.10

  • Destination port: TCP port 1025

  • Source IP address: w2.x2.y2.z2

  • Source port: TCP port 80

For outgoing packets from the NAT protocol, the source IP address (a private address) is mapped to the ISP allocated address (a public address), and the TCP/UDP port numbers are mapped to a different TCP/UDP port number.

For incoming packets to the NAT protocol, the destination IP address (a public address) is mapped to the original intranet address (a private address), and the TCP/UDP port numbers are mapped back to their original TCP/UDP port numbers.

Note

Packets that contain the IP address only in the IP header are properly translated by NAT. Packets that contain the IP address within the IP payload might not be properly translated by NAT because NAT cannot modify the payload.