NATNetwork Address Translation

Because private IP addresses are private, different organizations can use the same IP address. Of course, this means that private IP addresses arent routable on the public Internethence the need for NAT. IPv6 and NAT Because of the larger address space and improved private addressing design, IPv6 does not requireNAT. Therefore, this lesson applies only to IPv4 networks. Network Address Translation (NAT) allows one computer (or another type of network host, such as a router) with a public IP address to provide Internet access to hundreds or thousandsof hosts on an internal network. The hosts on the internal network must have private IPaddresses (as defined in Request for Comments [RFC] 1918) in one of the following addr essranges: 192.168.0.0 192.168.255.255 172.16.0.0172.31.255.255 10.0.0.010.255.255.255

Internet Connection Sharing

Internet Connection Sharing (ICS) is a feature that permits you to use Windows Server 2008 to connect a small office network or home network over the Internet. The ICS computer has a public IP address (or anIP address that provides access to a remote network) on the external network interface. Theinternal network interface always has the IP address 192.168.0.1. Enabling ICS automatically enables a DHCP service that assigns clients IP addresses in the range 192.168.0.0/24. ThisDHCP service is not compatible with either the DHCP Server role nor the DHCP relay agentfeature of Routing And Remote Access.

To configure NAT using Internet Connection Sharing Start with the computer that will share the Internet connection. First set up your Internet connection,and then use the Network Setup Wizard to configure the computer Configure the NAT server with two interfaces: An interface connected t o the Internet, with a public Internet IP address An interface connected to your private intranet, with a static, private IP address Go to Start >Settings >Control Panel >Network and Sharing Center , then click Manage Network Connections in the Task pane.

Right-click the network interface that connects to the Internet, and then click Properties.

Click the Sharing tab and select the Allow Other Network Users To Connect Through This Computers Internet Connection check box.

If you want users on the Internet to access any servers on your intranet (such as a Web or e-mail server that has only a private IP address), click the Settings button. For each internal service, follow these steps: If the service appears in the Services list, select its check bo x. In the Service Settings dialog box, type the internal name or IP address of the server and click OK. If the service does not appear on the list or if it uses a nonstandard port number,click Add. Type a description for the service and the internal name or IP address ofthe server. Then, in both the External Port Number For This Service and InternalPort Number For This Service boxes, type the port number used by the server. Select either TCP or UDP, and then click OK. Enabling ICS does not change the conf iguration of the Internet network interface, but it does assign the IP address 192.168.0.1 to the intranet network interface. Additionally, the computerwill now respond to DHCP requests on the intranet interface only and assign clients IPaddresses in the r ange 192.168.0.0/24. All clients will have 192.168.0.1 (the private IP addressof the ICS computer) as both their default gateway and the preferred DNS server address.

You can also share a VPN or dial -up connection. This allows a single computer to connect to a remote network and to forward traffic from other computers on the intranet. To enable ICS for a remote access connection.

Click the Sharing tab. Then, select the Allow Other Network Users To Connect ThroughThis Computers Internet Connec tion check box. Optionally, select the Establish A Dial -Up Connection Whenever A Computer On My Network Attempts To Access The Internet check box. This automatically establishes a remote access connection if a computer on the intranet sends any traffic that would need to be forwarded to the remote network.

Network Address Translation Using Routing andRemote Access

Using Routing And Remote Access, you can enable full -featured NAT capabilities. The specificreasons to use Routing a nd Remote Access instead of ICS include: You can use internal networks other than 192.168.0.0/24. You can route to multiple internal networks. You can use a different DHCP server, including the DHCP Server role built into Windows Server 2008. ICS cannot be enabled on a computer that uses any Routing a nd Remote Access component,including a DHCP relay agent.

Enabling NAT
Configure the NAT server with two inte rfaces: An interface connected to the Internet, with a public Internet IP address An interface connected to your private intranet, with a static, private IP address Click on Start, Administrative Tools, Routing and Remote Access

When the Routing and Remote Access MMC starts you will notice that the server has a red down arrow showing that it is currently offline. Right click on the server and select configure and Enable Routing and Remote access .

On the Welcome To The Routing And Remote Access Server Setup Wizard, clickNext. On the Configuration page, select Network Address Translation (NAT), and clickNext.

On the VPN Connection page, select the NIC in the Network interfaces section that represents the external interface of the VPN server. Then click Next.

On the IP Address Assignment page, select the Automatically option. We can select this option because we have a DHCP server installed on the domain controller behind the VPN server. If you did not have a DHCP server, then you would have to select the From a specified range of addresses option and then provide a list of addresses that VPN clients could use when connecting to the network through the VPN gateway. Click Next.

On the Managing Multiple Remote Access Servers page, select the No, use Routing and Remote Access to authenticate connection requests . This is the option we use when there is no NPS or RADIUS server available. Since the VPN server is a member of the domain, you can authenticate users using domain accounts.

Read the summary information on the Completing the Routing and Remote Access Server Setup Wizard page and click Finish.

If NAT has already been setup to configure it on an interface

1. In the left pane of the Server Manager, expand the Routing andRemote Access node 2. Expand the IPv4 node. 3. Click on the NAT node. 4. In the NAT node, right click on the external network server that you wish to enable NAT on. 5. Click Properties and select NAT and click OK,

Selecting the NAT node in the RRAS console shows that three network interfaces were created when NAT was configured on the server using the Routing and Remote Access Server Setup Wizard.

The Properties of Local Area Conn ection

Note that NAT considers this network the "private" network, that is, the network "behind" the NAT router: The Properties of Local Area Connection 2, Note that NAT considers this network the "public" network, that is, the network "in front of" ( on the Internet side of) the NAT router:

Enabling DHCP When you enable NAT, you can use any DHCP server. Typically, if you want to use a WindowsServer 2008 computer as a DHCP server, you should add the DHCP Server role,this providesa very full-featured DHCP server. NAT does include a very limited, but functional, DHCP server capable of providing IP addressconfiguration to DHCP clients on a single subnet.

To configure the NAT DHCP server In Server Manager, right -click Roles\Network Policy And Access Services\Routing And Remote Access\IPv4\NAT, and then choose Properties. In the Address Assignment tab, select the Automatically Assign IP Addresses By Using The DHCP Allocator check box

Type the private network address and subnet mask. If you need to exclude specific addresses that are statically assigned to existing servers (other than the NAT servers private IP address), click the Exclude button and use the Exclude Reserved Addresses dialog box to list the addresses that will not be assigned to DHCP clients. Click OK.

Enabling Forwarding of DNS Requests To connect to the Internet, NAT clients need to be able to resolve DNS requests. You can providethis using the DNS Server role . For small networks not requiring a DNS server, you can configure NAT to forward DNS requests to the DNS server configured on the NAT server. Typically, this is the DNS server atyour ISP.

In Server Manager, ri ght-click Roles\Network Policy and Access Services\Routing and Remote Access\IPv4\NAT, and then choose Properties. In the Name Resolution tab, select the Clients Using Domain Name System (DNS) check box. If the NAT server must connect to a VPN or dial -up connection for network access, select the Connect To The Public Network When A Name Needs To B e Resolved check box, and then select the appropriate demand -dial interface. Click OK. Configuring Client Computers For computers on the same LAN as the NAT servers intranet interface, configure the default gateway as the NAT servers intranet IP address. For other intranet LANs, configure routers to forward traffic destined for the Internet to the NAT servers intranet IP address. Ensure that all clients can resolve Internet DNS names.

View NAT Mapping Statistics Click on the NAT node in the left pane of the console. In the right pane of the console, right click Internet and click Show Mappings. Here you will find some interesting and helpful information about mappings used on the Internet Interface for forward and reverse NAT connections. You also can see in the right pane of the console and number of statistics, such as Total mappings, Inbound packets translated, and others.