Windows 2000's Network Address Translation

Email this Article

Printer-Friendly

View Reader Comments

[February 2000]
Windows 2000's Network Address Translation
By: Zubair Alexander
Feature
InstantDoc #7882
From the February 2000 edition of Windows IT Pro

See correction to this article

An inexpensive way to get an Internet connection

For years, small office/home office (SOHO) networks have used dial-up modems or ISDN to access the Internet. Compared with newer options such as cable modems and asymmetric digital subscriber lines (ADSLs), dial-up solutions are complex and require you to have a certain level of OS, TCP/IP, hardware, and application expertise. Dial-up solutions also require the costly addition of items such as telephone lines, modems, ISDN connections, and ISP accounts.

In Windows 2000 Server (Win2K Server), Microsoft offers you two ways to connect SOHO networks to the Internet: You can use a routed connection or a translated connection. With routed connections, Win2K Server acts as an IP router and forwards packets from SOHO clients to the hosts on the Internet. Routed connections let servers forward all IP traffic to the Internet. However, setting up routed connections requires knowledge of IP networking and routing. With translated connections, Win2K Server acts as an IP router and translates packets from the SOHO hosts to the Internet hosts. Unlike routed connections, translated connections might not permit servers to translate all IP traffic.

In Win2K Server Release Candidate 2 (RC2), build 2128, you can use Microsoft Internet Connection Sharing (ICS) or Network Address Translation (NAT) to configure translated connections to the Internet. ICS is a feature of the Network and Dial-Up Connections tool. NAT is a routing protocol that you configure through the Routing and Remote Access window, which Screen 1 shows. NAT is Microsoft's variation of the Internet Engineering Task Force's (IETF's) Network Address Translator standard, which provides Internet connectivity in a simple, flexible, and inexpensive way. Microsoft uses the term ICS for what the company called Shared Access and uses the term NAT for what the company called Connection Sharing in early builds of Win2K Server.

The main purpose of the ICS and NAT services is to share a network connection that acts as a gateway or router to provide transparent Internet connectivity to clients on one subnet. The clients on the internal network don't need modems, extra phone lines, or valid IP addresses to directly connect to the Internet. The clients can simply proxy through the NAT server to access the external network.

NAT Background
In Request for Comments (RFC) 1631, the IETF describes several variations of Network Address Translator. The variations include traditional Network Address Translator, two-way Network Address Translator, twin Network Address Translator, host Network Address Translator, and host Network Address Port Translation (NAPT). Traditional Network Address Translator lets hosts on a private network (e.g., a LAN) access hosts on an external public network (e.g., the Internet). Traditional Network Address Translator permits only outbound sessions from the private network to the public network. A two-way Network Address Translator, as its name suggests, permits sessions in both directions: inbound and outbound. Twin Network Address Translator lets you change information in both the source and destination IP address fields, so you use twin Network Address Translator when address assignments between disparate domains overlap. Host Network Address Translator and host NAPT let you use security mechanisms such as IP Security (IPSec) and DNS Security (DNSsec) in a Network Address Translator environment.

Microsoft's implementation of NAT in Windows 2000 (Win2K) fits somewhere between a traditional Network Address Translator and a two-way Network Address Translator. Microsoft has added many more features to its flavor of NAT to make it easier to use.

Internet Connection Sharing
Let's take a closer look at Microsoft's ICS service in Win2K as a method to translate packets for Internet connectivity. Depending on your situation, you might prefer ICS to NAT. You can think of ICS as NAT light. To configure ICS, you simply select a check box to enable shared Internet access.

Keep in mind that ICS and NAT are mutually exclusive—you can't run both on the same machine. Although these services have a similar purpose, NAT has some functions that ICS doesn't have. For example, you can't configure multiple public IP addresses in ICS, and ICS doesn't support WINS proxy agents. The ICS clients use mixed-node NetBIOS for name resolution on a SOHO network.

The purpose of ICS is to let your clients on the internal network have transparent access to the Internet. You don't need to be a network guru to set up ICS. To set up an ICS server, your ICS computer must have at least two interfaces. One of them must be a NIC, and the other can be any other interface (e.g., dial-up adapter, Digital Subscriber Line—DSL—adapter, another NIC, ISDN adapter).

You enable ICS on the external interface. When you configure the external interface for ICS, you automatically configure the internal interface on the ICS server with the IP address 192.168.0.1 and a subnet mask of 255.255.255.0. You also configure the clients to obtain an IP address from a DHCP server. The ICS server automatically assigns IP addresses to the private clients from the class C network range (i.e., 192.168.0.0 to 192.168.255.255), and the clients automatically obtain the IP address of the ICS server for DNS name resolution. None of these parameters on the ICS server are configurable. Therefore, you can't disable DNS proxy services, modify the range of client-assigned IP addresses, configure port mappings, or disable the DHCP allocator. Table 1 shows a typical ICS client configuration on a private network.

To configure ICS for a dial-up connection in Win2K, select Start, Settings, Network and Dial-Up Connections. Next, double-click Make New Connection. Using the Network Connection Wizard, select an appropriate Network Connection Type, as Screen 2 shows. For example, you can choose Dial-up to private network (and you'll need to enter a number in the Phone Number to Dial dialog box). The Connection Availability dialog box gives you two options for the connection: For all users or Only for myself. In the next dialog box, select the Enable Internet Connection Sharing for this connection check box, as Screen 3 shows. To configure ICS, you need to set the LAN adapter on the private network to 192.168.0.1. A pop-up message warns you of the consequences of other clients on your SOHO network using a different address range. To configure ICS on your machine, click Yes. You want to enable ICS only on the external interface. Incorrect configuration of ICS can cause clients outside your SOHO network (e.g., other DSL users in your neighborhood) to obtain IP addresses from your DHCP allocator. If you no longer want your computer to serve as an ICS server, you can go to the network interface's Properties dialog box, select the Sharing tab, and clear the Enable Internet Connection Sharing for this connection check box.

If you're running a small network and can't afford to hire a network administrator, you can easily configure ICS and access the Internet from your network clients without knowing much about TCP/IP, DNS, WINS, or browser configuration. SOHO businesses can benefit from such a solution. But if you want more control of your environment, you need to use NAT instead of ICS.

Network Address Translation
NAT offers all the features that ICS offers, and more. NAT keeps track of the address and port translations for outbound connections so that the proper clients on the private network receive the packets back from the external network.

To provide address translation for the internal clients on a network, NAT translates the private IP addresses in the IP headers to a single public address. The clients access the Internet transparently without requiring additional software. The NAT server acts as a router and can also translate TCP or UDP ports for the clients. This approach might sound similar to the services that Microsoft Proxy Server offers. The two services have some differences, but they offer similar functionality and a NAT server isn't an alternative to Proxy Server.

To install NAT in Win2K, select Start, Programs, Administrative Tools. Open the Routing and Remote Access window, add your server, right-click the server name, and select Configure and Enable Routing and Remote Access. After you install RRAS, the program prompts you to start the service. After you start, go to IP Routing and right-click General. Select New Routing Protocol, select Network Address Translation (NAT), as Screen 4, page 143 shows, and click OK. Next, under IP Routing, right-click Network Address Translation (NAT) and add the interfaces (at least two).

Figure 1 shows a typical SOHO configuration with two NICs. The internal interface represents the private NIC and uses a static IP address of 192.168.0.1 to connect to the network. The external interface represents the public NIC and uses a DSL connection to an ISP using a static IP address to the Internet, such as 10.10.10.1 (this example address isn't valid on the Internet). Generally, your ISP assigns this static IP address.

To configure an external interface from the interface's Properties dialog box, select the General tab, choose Public interface connected to the Internet, and click OK. To configure an internal interface, select the General tab, choose Private interface connected to private network, and click OK. These two options are mutually exclusive.

Now you're ready to configure additional options for NAT. After you right-click Network Address Translation (NAT) and select Properties, four tabs are available for configuration: General, Translation, Address Assignment, and Name Resolution. The General tab has four logging options that are fairly self-explanatory. These options provide levels of logging to Win2K's Event Viewer. The Translation tab lets you set TCP and UDP session timeout values and specifies how long a dynamic mapping for a TCP or UDP session remains in the NAT server's internal routing table. The default for connection-oriented TCP sessions is 1440 minutes (24 hours), and the default for connectionless UDP sessions is 1 minute.

The Address Assignment tab, which Screen 5 shows, lets you automatically assign IP addresses to your internal clients. When you select the Automatically assign IP addresses by using DHCP check box, you enable the DHCP allocator. Screen 5 shows the NAT server with a static IP address of 192.168.0.0 and a subnet mask of 255.255.255.0. To avoid duplicate IP addresses on your internal network, you can use the Exclude option to exclude a range of IP addresses that are already in use on your private network. Microsoft suggests you add the NAT server's IP address (e.g., 192.168.0.1) to the list of reserved IP addresses. The Address Assignment tab gives the impression that you need a DHCP server on your private network because the dialog box says that you're configuring this option to use DHCP for automatic address assignment. In fact, you don't need a DHCP server on the private network. When you select the Automatically assign IP addresses by using DHCP check box, you enable a DHCP allocator that functions as a limited DHCP server.

The Name Resolution tab lets you resolve names to addresses for either Windows or TCP/IP networking clients. The NAT server can act as a DNS or WINS proxy agent for your private clients. The WINS proxy service that the NAT server offers isn't the same as the WINS proxy service available in Windows NT versions. NAT automatically configures the clients with the NAT server IP address as their WINS server. In a SOHO network, the WINS server address will be 192.168.0.1, which Table 1 shows. The second difference is that the clients merely think that the server is their WINS server. The NAT server will query the WINS server set in its IP configuration and return the results to the clients. (The client queries the WINS server and doesn't register its address with the WINS server.)

The WINS proxy service in NAT drops clients' name registrations, so the records don't stay in the WINS database. Because your clients never register with the WINS server on your private network, you might not be able to connect to a private client by name (e.g., \\server\sharename). Therefore, you must have a method to resolve names on the private network. One solution is to use IP addresses instead of names to connect to other machines (e.g., \\192.168.0.3\data). Another option is to use the LMHOSTS file. I prefer to use DHCP to assign a WINS address to a client.

The DNS proxy works similarly to a WINS proxy in which the clients send DNS queries to the NAT server. To respond to the client queries, the NAT server queries the DNS server set in its IP configuration (e.g., an ISP's DNS server) and returns the results to the clients. Unless you enable this option, the clients on the private network won't be able to resolve host names on the Internet (unless you have an alternative method in place to provide name resolution). You can make your NAT server a DNS server. In case your server can't resolve the DNS queries, you want to configure your DNS server to forward requests to another DNS server, such as an ISP's DNS server.

Prev. page [1] 2 next page

CORRECTIONS TO THIS ARTICLE:

"Windows 2000's Network Address Translation" incorrectly states that to use the DHCP server on your Windows 2000 (Win2K) server instead of enabling the DHCP allocator, select the Automatically assign IP addresses by using DHCP check box. You need to clear that check box.

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

SQL Management Made Easy with DBLaunch 4.0!: Wish you could migrate multiple SQL databases with the same time and effort it takes for one? Now you can with DBLaunch. Download a free trial today!

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

FEATURED LINKS

Empower Your Processes with PowerShell 201: Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

SQL Connections, March 22-25, 2009 – Orlando, FL: The first 800 paid attendees receive SQL Server 2008 Standard Edition w/one CAL. Register by January 12 and receive a free night at the JW Marriott (with 3-night stay). For details (203) 268-3204 or 800-438-6720.

Join Today: VIP Monthly Pass: Get online access to ALL of the resources in the Windows IT Pro and SQL Server Magazine network! With your order, you'll also receive a full digital copy of the latest issue of SQL Server Magazine.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2009 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Related Events

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

SQL Management Made Easy with DBLaunch 4.0!

Order Your SharePoint Fundamentals CD!

FEATURED LINKS

Empower Your Processes with PowerShell 201

SQL Connections, March 22-25, 2009 – Orlando, FL

Join Today: VIP Monthly Pass