Documente Academic
Documente Profesional
Documente Cultură
In Routing and Remote Access Service (RRAS), NAT can be used to provide basic
Internet connectivity for small offices or home offices. NAT translates IP addresses and
associated TCP/UDP port numbers on the private network to public IP addresses which
can be routed on the Internet. Through NAT, host computers are able to share a single
publicly registered IP address to access the Internet. NAT also offers a number of security
features which can be used to secure the resources on your private network. The NAT
service is integrated with the router that changes the information of the originator in
packets prior to them being forwarded to the Internet. NAT can be configured through a
demand-dial interface where the connection is only established when the client
specifically requests the connection; or through a persistent connection which is a
permanent connection that remains open all the time.
RRAS IP packet filters can be used to restrict incoming or outgoing IP address ranges
based on information in the IP header. You can configure and combine multiple filters to
control network traffic. With NAT, you can configure inbound IP packet filters and
outbound IP packet filters. When defining criteria for the packet filters, you can use
whatever combination of IP header information.
You can also map external public IP addresses and ports to private IP addresses and ports
so that internal private resources can be accessed by Internet users. You use a special port
to map specific Internet users to resources within the private network. You can configure
a NAT address mapping for each specific private network resource that Internet users are
allowed to access. The NAT address pool feature can be utilized to allow VPN users and
Internet users to access resources residing in the private network. The NAT server
requests for one of the public IP addresses with a specific TCP/UDP port number to
resources in the private network
• Routing and Remote Access; a NAT implementation through Routing and Remote
Access is the recommended approach.
• Internet Connection Sharing; should be used for very small networks only.
A few factors that should be clarified before you install, and configure NAT are listed
here:
• One network adapter card configured with the internal private IP addresses
connecting the internal private client computers.
• One network adapter configured with the public IP address which connects to the
Internet.
NAT is included with Windows Server 2003 RRAS. While RRAS is automatically
installed when you install Windows Server 2003, it is not automatically enabled as well.
To enable RRAS, you can use either of the following mechanisms:
Windows Server 2003 also provides the Routing and Remote Access Server Setup
Wizard which can be used to perform both of the following functions:
How to install the NAT service using the Routing And Remote Access Server Setup
Wizard
1. Click Start, Administrative Tools, and then click Routing and Remote Access to
open the Routing and Remote Access management console.
2. In the left console pane, select the RRAS server that you want to work with.
3. From the Action menu, click Configure and Enable Routing and Remote Access.
4. The Routing and Remote Access Server Setup Wizard initiates.
5. Click Next on the Routing and Remote Access Server Setup Wizard welcome
page.
6. On the Configuration page, select the Network Address Translation (NAT) option,
and then click Next.
7. On the NAT Internet Connection page, you have to select the connection method
which NAT will use to connect to the Internet:
o Use this public interface to connect to the Internet option.
o Create a new demand-dial interface to the Internet option.
8. If you want to enable NAT security, leave the Enable security on the selected
interface by setting up Basic Firewall option selected. The option is enabled by
default. Click Next.
9. On the Ready to Apply Selections page, click Next.
10. Click Finish. 1
11. Click Yes to start the Routing and Remote Access service.
Configuring NAT
You can use the Routing and Remote Access management console to configure a number
of settings for the NAT.
1. Click Start, Administrative Tools, and then click Routing and Remote Access to
open the Routing and Remote Access management console.
2. In the left console tree, expand Routing And Remote Access, the Server, and then
expand IP Routing.
3. Select NAT/Basic Firewall.
4. Click the Action menu, and then select Properties OR, right-click NAT/Basic
Firewall and select Properties from the shortcut menu
5. The Properties dialog box contains four tabs which can be used to configure
settings for the NAT service.
The various settings available on the different tabs within the Properties dialog box are:
• NAT /Basic Firewall tab: The configurations which you can perform on the NAT
/Basic Firewall tab are:
o Enable NAT/disable NAT.
o Enable a basic firewall to prevent unauthorized users from accessing
resources on the private network.
o Configure inbound filters by clicking the Inbound Filters button.
o Configure outbound filters by clicking the Outbound Filters button.
• Address Pool tab: The configurations which you can perform on the Address Pool
tab are:
o Specify the Internet addresses which the NAT server will use. A minimum
of one Internet address has to be specified.
o You can configure external address to internal address mappings by
clicking the Reservations button.
• Services and Ports tab: The configurations which you can perform on the
Services and Ports are:
o Specify services which Internet users are allowed to access.
o Configure the internal client computers which external packets are
forwarded to.
• ICMP tab: On this tab, you can enable a number of diagnostic packets types
which are necessary for the NAT server to recognize and respond to PING or
Traceroute.
Troubleshooting NAT
The typical problems experienced with NAT are usually due to not meeting a number of
NAT configuration requirements:
The internal interface is usually created by default. The external interface has to
be manually added. After both interfaces are added, verify the following:
Nat us an Internet Protocol (IP) translation process that allows a network with private
addresses to access information on the Internet. If the NAT routing protocol is installed
and configured on a server that runs Routing and Remote Access, internal network clients
with private Internet Protocol (IP) addresses can access the Internet through the external
interface of the NAT server. This is much like of a proxy server but it does not have any
cache.
4. Click to select the NAT/Basic Firewall check box and then click OK.
5. Right-click NAT/Basic Firewall in the left pane and then click New Interface.
6. Click the interface that represents your internal network interface and then click
OK.
7. In the Network Address Translation properties, click Private interface connected
to private network and then click OK.
8. Right-click NAT/Basic Firewall in the left pane and then click New Interface.
9. Click the interface that represents your external network interface and then click
OK.
10. In Network Address Translation properties, click Public interface connected to the
Internet. For a dial-up connection to the Internet, select the demand-dial interface
that is configured to connect to your ISP. Click to select the Enable NAT on this
interface check box and then click OK.
The NAT server can automatically assign IP addresses to internal network clients. You
may want to use this functionality if you do not have a DHCP server that is already
assigning addressing information to clients on the internal network.
To Configure NAT Server to Assign IP Addresses and Perform Proxy DNS Queries
1. Right-click NAT/Basic Firewall in the left pane and then click Properties.
2. Click the Address Assignment tab and then click to select the Automatically assign
IP addresses by using the DHCP allocator check box.
5. You can also exclude IP addresses from the range you are defining so that the
excluded IP addresses can be assigned to specific computers on the private network
by clicking Exclude and adding IP addresses.
6. Click the Name Resolution tab and then click to select the Clients using Domain
Name System (DNS) check box.
7. If you use a demand-dial interface to connect to the Internet, click to select the
Connect to the public network when a name needs to be resolved check box.
1. Open Network Connections, right click Local Area Connection and click
Properties.
2. Click Internet Protocol (TCP/IP) and Click Properties.
3. In the Default gateway box, type the internal IP address of the NAT server and your
IP address with Mask.
Summary:
After you follow these basic configuration steps, internal network clients can access
servers on the Internet. When internal network clients send a request for the Internet, the
NAT protocol driver intercepts the request and forwards the request to the destination
Internet server. All requests appear to come from the external IP address of the NAT
server. This process hides your internal IP addresses scheme. The NAT server can also
perform Domain Name System (DNS) queries on the behalf of NAT clients. The Routing
and Remote Access NAT server resolves the Internet host name that is included in the
client request and then forwards the IP address to the client. If you are using an interface
other than a network adapter (for example, a dial-up networking connection) to connect
to the internet that does not appear in the New Interface Properties then you have to make
a Demand Dial Interface for that connection. To make a Demand Dial Interface see our
article”How to Make a Demand Dial Interface in RRAS in Windows Server 2003”.
Note: This article is just a part of www.Helpline4IT.com online study guides for Microsoft Windows 2003 .To
review the complete features of these Helpline4IT online study guides, click here.