Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


February 2000

Windows 2000's Network Address Translation


From the February 2000 Edition
of Windows IT Pro
Zubair Alexander
Feature
InstantDoc #7882
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Internet Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

 See corrections to this article

DHCP Allocator
NAT and ICS include a DHCP allocator that acts like a DHCP server. The DHCP allocator leases IP addresses to the clients from the range that you configure using the Address Assignment tab. Think of the DHCP allocator as limited DHCP (or DHCP light). Unlike DHCP server, the allocator doesn't have a configurable database. All DHCP allocator parameter configurations are automatic, including DNS and WINS proxy. You can use any range of IP addresses on the internal interface with the DHCP allocator, but I recommend that you use only nonroutable private IP address ranges, which RFC 1918 defines.

The default network ID range in NAT is an area in which Microsoft made changes in the Win2K beta releases. Early builds used a class C address range. In later builds, Microsoft decided to use a class B private network ID range (169.254.0.0 to 169.254.255.255). Microsoft switched to this class B range because the Win2K and Windows 98 clients use this range for auto-IP configuration, and when NAT uses this range, communication is easier. In Win2K RC2, Microsoft returned to class C as the default IP address range, as Screen 5 shows. The DHCP allocator issues clients several IP configuration options. Table 1 shows a default configuration for a NAT client on a private network.

You can right-click Network Address Translation (NAT) in the Routing and Remote Access window to view the DHCP allocator or DNS proxy information. You can also use the Netsh command to administer IP settings. For example, you can run Netsh, then type

routing ip autodhcp show global

to see the DHCP allocator configuration information. You can run Netsh, then type a question mark to see the available options.

What if you want to use DHCP server on your internal network? Does using DHCP cause any conflicts? If you have routers, DNS servers, or DHCP servers on your network, you might run into some problems. The NAT server will try to detect these competing services, and if successful, it will shut down its services. The NAT server uses Internet Control Message Protocol (ICMP) Router Solicitation and DHCP Discover packets to detect these services.

To use the DHCP server on your Win2K server instead of enabling the DHCP allocator, select the Automatically assign IP addresses by using DHCP check box. I prefer to use a DHCP server for several reasons. A Win2K DHCP server can dynamically register earlier-version clients with Win2K's dynamic DNS (DDNS) server. A DHCP server also offers control over DHCP options that the DHCP allocator doesn't offer, such as providing a domain name to the clients or changing the IP lease period.

You can also assign a different DHCP or WINS server. Using DHCP to assign a WINS server to clients provides easier name resolution for internal clients. If you use the WINS proxy service (instead of using DHCP options to give a WINS server's address to clients), the clients don't register and the service can't resolve names. If you set a WINS server's address as part of the DHCP options, the clients register with the WINS server, and name resolution becomes transparent.

When using a DNS server, I use DHCP options to provide the IP address of my ISP's DNS server to my private clients. To use a DHCP server instead of the DHCP allocator, select the Address Assignment tab from NAT Properties, clear the Automatically assign IP addresses by using DHCP check box, and install DHCP server on your internal network. For a SOHO environment, the NAT server can also serve as a DNS, WINS, and DHCP server. You can configure the clients to obtain IP information from a DHCP server. Table 1 shows a default client configuration using a DHCP server.

Packet Translation
The NAT server needs to translate all packets from a nonroutable IP address range on the private network to a valid IP address on the Internet. The server can transparently translate packets that contain IP address, TCP port, and UDP port information in the IP, TCP, and UDP headers, respectively. If the application contains the IP address, TCP port, or UDP port information in the application's header (instead of the IP header), the NAT server might not be able to properly translate these packets, such as FTP packets.

A NAT editor component can properly translate packets that your NAT server can't otherwise translate. For translation, NAT servers require that packets have an IP address in the IP header, TCP port numbers in TCP header, and UDP port numbers in the UDP headers. All other packets require a NAT editor. HTTP doesn't require a NAT editor because HTTP requires translation of an IP address in an IP header and TCP port in a TCP header. PPTP doesn't use a TCP or UDP header. Instead, PPTP uses a Generic Routing Encapsulation (GRE) header. The tunnel ID in the GRE header identifies the data. If NAT is unable to translate the tunnel ID within the GRE header, you'll experience connectivity problems. Because NAT can't translate tunnel ID for PPTP packets, you need a NAT editor for proper translation.

Win2K comes with built-in NAT editors for FTP, ICMP, and PPTP. Microsoft plans to make NAT editor APIs available to third-party vendors to develop additional NAT editors. Currently, no NAT editors are available for IPSec, Lightweight Directory Access Protocol (LDAP), COM, remote procedure call (RPC), or SNMP.

To use encrypted applications or applications that don't contain the IP addresses in the IP headers, you can use PPTP to tunnel through the server. Layer 2 Tunneling Protocol (L2TP), which comes with Win2K, doesn't require a NAT editor, so you can transparently use L2TP. However, you can't use L2TP with IPSec because the server can't translate the packets (IPSec doesn't have a NAT editor). Although you can't use IPSec for security with NAT, you can use Secure Sockets Layer (SSL) to encrypt Web-based applications. You can't authenticate to a Win2K domain controller across a NAT server because the NAT server doesn't translate Kerberos 5 packets, which Win2K domain controllers use.

Address and Port Translation
NAT lets you translate specific addresses and ports. Typically, the NAT server performs address and port translations. You can also configure the server for address mapping, rather than translation. With address mapping, you can map the private internal addresses to a pool of public Internet addresses. This method is more scalable than the address and port translation method. Address mapping lets you map multiple incoming connections to the same port or service. However, address mapping is fairly complex and requires your ISP to add static routes for the pool of IP addresses that your NAT server uses.

You can use the Address Pool tab of an interface's Properties dialog box to configure the server to use address translation mode. For example, you can define an address range to configure a pool of addresses. Then, clients will dynamically use a unique public address from this pool, unless you reserve certain addresses for specific machines. Reserving an address is a way to provide connections from the Internet to your private network. You can also use special port mapping by selecting the Special Ports tab of the interface's Properties dialog box, as Screen 6 shows. TCP packets arriving from the Internet on Public Port 80 of the Interface's address will be directed to Private Port 1080 of a client that has an IP address of 192.168.0.25. In addition, the TCP packets arriving on Public Port 20 will be directed to Private Port 2121 of 192.168.0.25.

Comparing NAT with ICS and Proxy Server
ICS is simple to configure and requires you to select only one check box. NAT's manual configuration requires more expertise. In a SOHO network, you can use ICS with one LAN adapter. The second interface can be a modem. You typically use a NAT server with multiple interfaces. With ICS, you can use only one public IP address. NAT supports multiple public IP addresses. ICS supports only a fixed range of IP addresses (e.g., 192.168.0.0 to 192.168.255.255) for clients on the private network. NAT allows a range that you can configure to suit your needs. Finally, NAT offers support for both DNS and WINS proxy services. ICS supports only DNS proxy services.

NAT and Proxy Server offer similar functionality. Both services let a small private network or SOHO network use one machine as a proxy to transparently connect to the Internet. With NAT, you don't need to install or configure additional software. The only stipulation is that the clients must be DHCP-aware (i.e., configured to obtain an IP address from a DHCP server). With Proxy Server, you need to configure the clients' browsers to use the proxy server. The only exceptions are Win2K clients that can automatically look for a proxy server and self-configure the client's browser.

Proxy Server can be more expensive for SOHO networks, so you'll have to consider the trade-offs. In large or secure environments, Proxy Server might be a better choice because of its superior filtering and caching capabilities. However, for home businesses or smaller networks in which security requirements aren't as stringent, NAT seems to be a better choice because of its simplicity, cost, and ease of administration.

I prefer NAT for several reasons. The main reason is that NAT lets me use PPTP from a NAT client to connect to a corporate network on the Internet, which gives me secure access to my corporate network for transferring files, using a Microsoft Outlook client, printing, or running custom applications. A proxy server doesn't let a proxy client use PPTP to tunnel through a proxy server. You can use a proxy server only to make a PPTP connection to your corporate network. Similar to Proxy Server, the NAT server still gives you the ability to use SSL transparently from any client in a SOHO to do many things, such as trade stock, bank online, or run Web-based e-commerce applications. NAT also offers a certain level of security.

Troubleshooting NAT
If your clients can't get an IP address from the NAT server, verify that you selected the Automatically assign IP addresses by using DHCP check box. If your server can't translate the addresses, verify that you properly enabled the translation on both interfaces. Check the internal interface's Properties dialog box to ensure that you selected Private interface connected to private network, and check the external interface's Properties dialog box to ensure that you selected Public interface connected to the Internet. Also, check the status of the interfaces in the Routing and Remote Access window. The Status column should show Enabled, and the Connection State column should show Connected.

If an application doesn't work through the NAT server, try to use the application on the NAT server. If the application works from the NAT server but not from the private network, it might require a NAT editor.

I find that naming my public interface and private interface is useful. To name your interfaces, go to Start, Settings, Network and Dial-Up Connections. You can also select Show icon in taskbar when connected from the General tab of the interface's Properties dialog box. Naming your interfaces will help you monitor all your active connections easily. When you move your cursor to an interface icon in the taskbar, the icon will show you the name of the interface, the speed of your connection, and the number of packets sent and received. The interface icons blink during packet transfer and other activity.

If you can't use a NetBIOS name to connect to another computer on the internal network, use an IP address or make sure you have a static name-resolution method. You can use the LMHOSTS file, but using a DHCP server might be a better choice. If you're using a DHCP server on the private network, don't forget to turn off the DHCP allocator.

NAT Is All You Need
NAT will probably become a favorite feature for many Win2K users. NAT is an efficient, simple, reliable, and inexpensive solution to Internet connectivity for branch offices and small networks. NAT is beneficial for several reasons. The ability to use PPTP is a big plus, and the filtering capabilities, port translation, and on-demand dialing are extra bonuses. The ability to add NAT editors in the future makes this service even more attractive. If you've been looking at Proxy Server and third-party solutions, you might want to check out Win2K's NAT server. You might discover that NAT is all you need.

End of Article

   Previous  1  [2]  Next  


Reader Comments
Excellent article. Wish NAT was addressed for multi-homed W2K Servers that support 2 or more private networks.

Hank Winter May 05, 2000

Very good article!
It answers why my ICS incoming connections doesn't work.
I will use NAT to do that.

Thanks again.

Huy Vu May 24, 2000

Brillant article. Even though I know a good deal about the topic, this article helped me to explain it in simpler terms to my managers.

Gary Kirrane May 25, 2000

An excellent article, much more lucid than a recent one on the same topic on MSDN. The author has laid out the options and the trade-offs in a clear and understandable fashion. Thank You!

Raj Manickam May 25, 2000

Excellent article. NAT is truly all I need!

John Naber June 01, 2000

I just found your article.. I could have used it earlier.. I spent most of the weekend addressing these issues and here you have it all in black and white, I will try again... thank you!

Stephen Mora July 03, 2000

An excellent article; however, I think that the subject of SNMP was underaddressed. I have a three system network. My Windows 2000 server has two network interface cards: one connected to a 10-base-T hub and one connected to my DSL modem. The other two machines on the network are Windows 98SE and Windows 2000 Professional. Using NAT, DNS and DHCP I have all three systems accessing the web through the DSL modem. I can get web pages, newsgroups and incoming mail, but I cannot send mail. This seems critical to any real SOHO, yet all the articles on this subject seem to treat the SNMP problems with NAT, ICS, etc as minor. I'd like to see another article. One that focus's on trying to solve a typical SOHO configuration (web access, FTP access, Mail access) using DSL or Cable modem and explores the options and restrictions of the various options.

Kent Bair August 09, 2000

Very good article, however I also have the issue of SMTP. Usually SOHOs use their internet connection to do email as well as HTTP. Microsoft didn't see this as a major issue?

Russ Galloway August 30, 2000

Hmmm... Good...
But ICS work with diferend 192.168.0.1 address.

Mugz November 22, 2000

I been in 6 help desk forums on this issue, and this best manual I read until now

Yuval Sinay January 17, 2001

 See More Comments  1   2 

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Corrections to this Article:

  • "Windows 2000's Network Address Translation" incorrectly states that to use the DHCP server on your Windows 2000 (Win2K) server instead of enabling the DHCP allocator, select the Automatically assign IP addresses by using DHCP check box. You need to clear that check box.
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement