Network Address Translation (NAT) Review

In Routing and Remote Access Service (RRAS), NAT can be used to provide basic
Internet connectivity for small offices or home offices. NAT translates IP addresses and
associated TCP/UDP port numbers on the private network to public IP addresses which
can be routed on the Internet. Through NAT, host computers are able to share a single
publicly registered IP address to access the Internet. NAT also offers a number of security
features which can be used to secure the resources on your private network. The NAT
service is integrated with the router that changes the information of the originator in
packets prior to them being forwarded to the Internet. NAT can be configured through a
demand-dial interface where the connection is only established when the client
specifically requests the connection; or through a persistent connection which is a
permanent connection that remains open all the time.

RRAS IP packet filters can be used to restrict incoming or outgoing IP address ranges
based on information in the IP header. You can configure and combine multiple filters to
control network traffic. With NAT, you can configure inbound IP packet filters and
outbound IP packet filters. When defining criteria for the packet filters, you can use
whatever combination of IP header information.

You can also map external public IP addresses and ports to private IP addresses and ports
so that internal private resources can be accessed by Internet users. You use a special port
to map specific Internet users to resources within the private network. You can configure
a NAT address mapping for each specific private network resource that Internet users are
allowed to access. The NAT address pool feature can be utilized to allow VPN users and
Internet users to access resources residing in the private network. The NAT server
requests for one of the public IP addresses with a specific TCP/UDP port number to
resources in the private network

Planning for NAT Installation

A Windows Server 2003 server configured with either of the following services can act as
the NAT server:

• Routing and Remote Access; a NAT implementation through Routing and Remote
Access is the recommended approach.
• Internet Connection Sharing; should be used for very small networks only.

A few factors that should be clarified before you install, and configure NAT are listed
here:

• The type of connection which will be used (a demand-dial interface, or a

persistent connection). Using a persistent Internet connection would ensure that
the NAT server can at all time connect to the Internet.
 • The private network IP addressing scheme and the number of public IP addresses
to obtain.
• The servers that will be configured as NAT servers. It is recommended to use a
dedicated computer to run NAT.
• The interfaces that are to be configured with private IP addresses and the
interfaces which will be configured with public IP addresses.
• The manner in which access to resources on the private network will be assigned.
• The IP packet filters that will be configured.
• The IP configuration method to use with the NAT implementation.
• The scope of the NAT server. Will the NAT server be allowed to assign IP
addresses, and handle DNS resolution requests?

Installing the NAT Service

The Windows Server 2003 NAT server can support the following services or components:

• NAT address translation service/component: The computer on which NAT is

installed is the network address translator server.
• DNS name resolution component: The computer that has NAT installed acts as a
DNS server.
• DHCP IP addressing component: The computer that has NAT installed acts as a
simplified DHCP server that assign IP address information to other client
computers.

The NAT server should have the following components:

• One network adapter card configured with the internal private IP addresses
connecting the internal private client computers.
• One network adapter configured with the public IP address which connects to the
Internet.

NAT is included with Windows Server 2003 RRAS. While RRAS is automatically
installed when you install Windows Server 2003, it is not automatically enabled as well.
To enable RRAS, you can use either of the following mechanisms:

• Manage Your Server application.

• Routing and Remote Access management console.

Windows Server 2003 also provides the Routing and Remote Access Server Setup
Wizard which can be used to perform both of the following functions:

• Enable Routing and Remote Access.

• Enable and configure NAT.

How to add NAT as a routing protocol

 1. Click Start, Administrative Tools, and then click Routing and Remote Access to
open the Routing and Remote Access management console.
2. In the console tree, expand Routing And Remote Access, the Server, and then
expand IP Routing.
3. Select, and then right-click General and next click New Routing Protocol from the
shortcut menu.
4. The Select Routing Protocol dialog box opens
5. Select Network Address Translation.
6. Click OK.

How to install the NAT service using the Routing And Remote Access Server Setup
Wizard

1. Click Start, Administrative Tools, and then click Routing and Remote Access to
open the Routing and Remote Access management console.
2. In the left console pane, select the RRAS server that you want to work with.
3. From the Action menu, click Configure and Enable Routing and Remote Access.
4. The Routing and Remote Access Server Setup Wizard initiates.
5. Click Next on the Routing and Remote Access Server Setup Wizard welcome
page.
6. On the Configuration page, select the Network Address Translation (NAT) option,
and then click Next.
7. On the NAT Internet Connection page, you have to select the connection method
which NAT will use to connect to the Internet:
o Use this public interface to connect to the Internet option.
o Create a new demand-dial interface to the Internet option.
8. If you want to enable NAT security, leave the Enable security on the selected
interface by setting up Basic Firewall option selected. The option is enabled by
default. Click Next.
9. On the Ready to Apply Selections page, click Next.
10. Click Finish. 1
11. Click Yes to start the Routing and Remote Access service.

Configuring NAT
You can use the Routing and Remote Access management console to configure a number
of settings for the NAT.

To access the various configuration options for NAT,

1. Click Start, Administrative Tools, and then click Routing and Remote Access to
open the Routing and Remote Access management console.
2. In the left console tree, expand Routing And Remote Access, the Server, and then
expand IP Routing.
3. Select NAT/Basic Firewall.
 4. Click the Action menu, and then select Properties OR, right-click NAT/Basic
Firewall and select Properties from the shortcut menu
5. The Properties dialog box contains four tabs which can be used to configure
settings for the NAT service.

The various settings available on the different tabs within the Properties dialog box are:

• NAT /Basic Firewall tab: The configurations which you can perform on the NAT
/Basic Firewall tab are:
o Enable NAT/disable NAT.
o Enable a basic firewall to prevent unauthorized users from accessing
resources on the private network.
o Configure inbound filters by clicking the Inbound Filters button.
o Configure outbound filters by clicking the Outbound Filters button.
• Address Pool tab: The configurations which you can perform on the Address Pool
tab are:
o Specify the Internet addresses which the NAT server will use. A minimum
of one Internet address has to be specified.
o You can configure external address to internal address mappings by
clicking the Reservations button.
• Services and Ports tab: The configurations which you can perform on the
Services and Ports are:
o Specify services which Internet users are allowed to access.
o Configure the internal client computers which external packets are
forwarded to.
• ICMP tab: On this tab, you can enable a number of diagnostic packets types
which are necessary for the NAT server to recognize and respond to PING or
Traceroute.

How to configure a new interface for NAT

1. Click Start, Administrative Tools, and then click Routing and Remote Access to
open the Routing and Remote Access management console.
2. Locate NAT/Basic Firewall in the console tree.
3. Right-click NAT/Basic Firewall and select New Interface from the shortcut menu.
4. Specify the type of interface. Click OK.
5. Next, select Public Interface Connected To The Internet, and then select Enable
NAT On This Interface.
6. If no firewall capabilities exist, select Enable A Basic Firewall On This Interface.
7. If necessary, configure the desired inbound/outbound IP packet filters to restrict
incoming or outgoing traffic.
8. Add the address range obtained by the ISP in the Address Pool tab.
9. Specify the services which Internet users can access.
10. Accept the default settings on the ICMP tab. 1
11. Click OK.
How to configure special ports to allow inbound
connections
1. Click Start, Administrative Tools, and then click Routing and Remote Access to
open the Routing and Remote Access management console.
2. Locate the interface that you want to configure.
3. Right-click the interface and then select Properties from the shortcut menu.
4. Click the Special Ports tab.
5. Under Protocol, select TCP or UDP and then click the Add button.
6. Enter the port number of the incoming traffic in Incoming Port.
7. Select On This Address Pool Entry, and provide the public IP address of the
incoming traffic.
8. Enter the port number of the private network resource in Outgoing Port.
9. Enter the private network resource's private IP address in Private Address.
10. Click OK.

How to configure a NAT network application

1. Click Start, Administrative Tools, and then click Routing and Remote Access to
open the Routing and Remote Access management console.
2. In the console tree, select the NAT server that you want to configure.
3. Right-click the NAT server and then select Properties from the shortcut menu.
4. Click the Translation tab.
5. Click the Application button.
6. When the Application dialog box opens, click the Add button.
7. The Add Application dialog box opens.
8. Specify the desired settings for the application.
9. Click OK.

How to manage the NAT server

1. Click Start, Administrative Tools, and then click Routing and Remote Access to
open the Routing and Remote Access management console.
2. In the console tree, select the NAT server that you want to manage.
3. Right-click the NAT server and then select Properties from the shortcut menu.
4. Click the IP tab to manage NAT address assignment.
5. If you want to use an existing DHCP server for IP address assignment, click the
Dynamic Host Configuration Protocol (DHCP) option.
6. If you want to specify the NAT server for IP address assignment, select the Static
address pool option.
7. Next, use the Add, Edit and Remove buttons to specify the address range which
the NAT server will use to assign IP addresses to clients.
 8. If you do not have an existing DNS servers or WINS server that can be used for
name resolution, click the Enable broadcast name resolution option at the bottom
of the IP tab.
9. Click OK.

Troubleshooting NAT
The typical problems experienced with NAT are usually due to not meeting a number of
NAT configuration requirements:

• For NAT to work, its needs the following:

o One network adapter card configured with the internal private IP addresses
connecting the internal private client computers.
o One network adapter configured with the public IP address which
connects to the Internet.

The internal interface is usually created by default. The external interface has to
be manually added. After both interfaces are added, verify the following:

o The private interface should be specified as the private interface in its

associated properties dialog box of the NAT/Basic Firewall node in the
Routing and Remote Access console.
o The public interface should be specified as the public interface in its
associated properties dialog box of the NAT/Basic Firewall node in the
Routing and Remote Access console.
• The NAT configuration must have a default static route configured through the
Routing and Remote Access console, with the following parameters:
o Interface configured as the public interface connected to the Internet.
o Destination and mask defined as 0.0.0.0.
o Gateway defined as None
• If you have configured special ports, verify that the settings specified for the
public address/port, and the settings specified for the private address/port are
correct.
• If you have configured an address pool for the external interface, check that the
addresses and mask have been correctly configured.
• For NAT to work, the DHCP service must be configured.
Network Address Translation (NAT) Server:

Nat us an Internet Protocol (IP) translation process that allows a network with private
addresses to access information on the Internet. If the NAT routing protocol is installed
and configured on a server that runs Routing and Remote Access, internal network clients
with private Internet Protocol (IP) addresses can access the Internet through the external
interface of the NAT server. This is much like of a proxy server but it does not have any
cache.

To configure server 2003 as a NAT server

Follow these steps to accomplish the task

1. On the Administrative Tools menu, click Routing and Remote Access.

2. In the Routing and Remote Access, expand your server_name (where server_name
is the name of the server that you want to configure) and then expand IP Routing in
the left pane.
3. Right-click General and then click New Routing Protocol.

4. Click to select the NAT/Basic Firewall check box and then click OK.
5. Right-click NAT/Basic Firewall in the left pane and then click New Interface.

6. Click the interface that represents your internal network interface and then click
OK.
7. In the Network Address Translation properties, click Private interface connected
to private network and then click OK.
8. Right-click NAT/Basic Firewall in the left pane and then click New Interface.

9. Click the interface that represents your external network interface and then click
OK.
10. In Network Address Translation properties, click Public interface connected to the
Internet. For a dial-up connection to the Internet, select the demand-dial interface
that is configured to connect to your ISP. Click to select the Enable NAT on this
interface check box and then click OK.
The NAT server can automatically assign IP addresses to internal network clients. You
may want to use this functionality if you do not have a DHCP server that is already
assigning addressing information to clients on the internal network.

To Configure NAT Server to Assign IP Addresses and Perform Proxy DNS Queries

Follow these steps in order to accomplish the task

1. Right-click NAT/Basic Firewall in the left pane and then click Properties.
2. Click the Address Assignment tab and then click to select the Automatically assign
IP addresses by using the DHCP allocator check box.

3. In the IP address box, type a network ID.

4. In the Mask box, type a subnet mask.

5. You can also exclude IP addresses from the range you are defining so that the
excluded IP addresses can be assigned to specific computers on the private network
by clicking Exclude and adding IP addresses.
6. Click the Name Resolution tab and then click to select the Clients using Domain
Name System (DNS) check box.

7. If you use a demand-dial interface to connect to the Internet, click to select the
Connect to the public network when a name needs to be resolved check box.

8. In the Demand-dial interface box, click the interface to dial.

9. Click Apply and then click OK.

To Configure a Windows Server 2003-Based Computer to Use a NAT Server

Follow these steps in order to accomplish the task

1. Open Network Connections, right click Local Area Connection and click
Properties.
2. Click Internet Protocol (TCP/IP) and Click Properties.

3. In the Default gateway box, type the internal IP address of the NAT server and your
IP address with Mask.

4. Click OK, click OK, and then click Close.

If your computer receives its IP address from a Dynamic Host Configuration Protocol
(DHCP) server, click Advanced, click the IP Settings tab, under Gateway click Add,
type the internal IP address of your NAT server, click Add, click OK.

Summary:

After you follow these basic configuration steps, internal network clients can access
servers on the Internet. When internal network clients send a request for the Internet, the
NAT protocol driver intercepts the request and forwards the request to the destination
Internet server. All requests appear to come from the external IP address of the NAT
server. This process hides your internal IP addresses scheme. The NAT server can also
perform Domain Name System (DNS) queries on the behalf of NAT clients. The Routing
and Remote Access NAT server resolves the Internet host name that is included in the
client request and then forwards the IP address to the client. If you are using an interface
other than a network adapter (for example, a dial-up networking connection) to connect
to the internet that does not appear in the New Interface Properties then you have to make
a Demand Dial Interface for that connection. To make a Demand Dial Interface see our
article”How to Make a Demand Dial Interface in RRAS in Windows Server 2003”.

Note: This article is just a part of www.Helpline4IT.com online study guides for Microsoft Windows 2003 .To
review the complete features of these Helpline4IT online study guides, click here.