Use Network Address Translation to extend your ability to share a routable IP address in an internal network

In "The Eternal Quest: Connect Your Small Network to the Internet" (November 2000), I explain how to use Windows 2000's built-in Network Address Translation (NAT) feature to mimic the similar but simpler Internet Connection Sharing (ICS) function. ICS appears not only in Win2K Server but also in Win2K Professional, Windows 98 Second Edition (Win98SE), and Windows Millennium Edition (Windows Me); NAT comes only with Win2K Server. NAT and ICS let you share one routable IP address with dozens of computers on an internal network. Those internal computers get nonroutable addresses from a range of addresses starting at To use NAT or ICS to share an Internet connection, you connect one computer to both the external, routable public Internet and to the internal, nonroutable network. That computer runs NAT or ICS and acts as a router. In this issue, I explain how to extend what that router can do.

Discussions about sharing only one or a few routable addresses with many machines on a nonroutable network usually assume you have a Digital Subscriber Line (DSL) or cable-modem connection. But NAT's target market isn't limited to those who have always-on Internet connections. A training lab is one case that can often benefit from NAT or ICS. Most medium-sized to large companies have a room or two filled with networked computers that the company uses to teach classes. Those computers typically get nonroutable addresses. But sometimes trainees need Internet access, so corporate IT departments usually set aside a routable address or two for the training lab and share those routable addresses with the lab's nonroutable addresses. Most labs use a Cisco Systems router to share the routable addresses, but a Win2K server that is already in the training lab could do the router's job and save the company the cost of a separate router.

As I explained in "The Eternal Quest: Connect Your Small Network to the Internet," sharing a routable address through ICS lets the internal (nonroutable) computers initiate conversations with the Internet but doesn't let other Internet-connected computers access the internal machines. So, although an internal computer can surf an external Web site, you wouldn't want to use ICS to set up one of your internal computers as a Web server, because machines on the public Internet couldn't surf your Web site. Is there a way around this limitation? If your internal machine runs ICS, no—you're stuck. But with NAT, you can easily arrange matters so that external computers can connect to resources on your internal network. (Of course, if the connection you're sharing is in a training lab, you might see the ICS limitation as a feature rather than a problem.)

How you let computers on the Internet access an internal Web server (or mail server or FTP server or any other kind of server) depends crucially on the answer to one question: How many routable IP addresses do you have available? Let's first consider the case in which you have only one routable IP address. You have no choice about what to do with that address—you must assign it to the computer that acts as the router (for simplicity, I'll call that computer the router).

One way to offer a public Web server in this one-address case, of course, is to set up Microsoft IIS on the router. But you might not want to do that, either because Win2K and Windows NT aren't good at doing a lot of different things on one machine, or perhaps because you need a system with more horsepower to run a complex site. (I should note that putting more than one function on a Win2K or NT server might be complicated if your service provider doesn't give you a fixed IP address. If your IP address is dynamic, publishing your Web server's IP address in DNS isn't practical because the DNS information will always be out-of-date.)

Let's assume that your router has a routable IP address of and that the router's internal nonroutable address is Let's suppose that the internal computer that runs your Web server has the nonroutable address That Web server needs a routable address to be visible to the public Internet, but you've already used your only routable address on the router. What can you do?

NAT lets you redirect communications through a particular router port to a specified port on a computer on the internal network. Web connections always come in to a Web server on port 80, so you simply tell the router to refer any incoming communications on the router's port 80 to port 80 on the machine at the address. Win2K's NAT software calls such a port-to-port connection a special port. To create a special port on my sample network, I go to the routable machine at and click Start, Programs, Administrative Tools, Routing and Remote Access. A Microsoft Management Console (MMC) window appears and shows my router machine as an icon with a plus sign next to it. I click the plus sign to open the router's options. (If you try this procedure and find the icon already open, then you've likely messed around with RRAS in the past and MMC remembers how you left RRAS. This example also assumes that you've read and implemented the routing instructions I discussed in my November 2000 column.)

Objects that represent routing options appear in the right-hand pane. I open the object labeled IP Routing, which contains an icon labeled Network Address Translation (NAT). I click that icon, and my router's public ( and private ( interfaces appear in the right-hand pane. Then, I right-click the public interface, choose Properties, and click the Special Ports tab. Because no special ports are on the router yet, I click Add to create a special port. The Add Special Port dialog box appears. The dialog box, which Figure 1 shows, asks me to specify an Incoming port, a Private address, and an Outgoing port. I enter the values 80,, and 80, respectively, then I click OK.

Let's review what I'm trying to accomplish here: A request comes in to the HTTP port on the router at (in other words, a request comes in to, where 80 is the HTTP port). I want NAT to move the request to port 80 on the machine at address (In my experience, you would rarely want to use different incoming and outgoing ports, but if for some reason you did want to set up the Web server at on, say, port 10000, you'd enter the value 10000 in the Outgoing port field so that traffic from the Internet—which expects to do Web business on port 80—would get to the Web server.)

If you've spent a few extra bucks and obtained multiple IP addresses from your ISP, or if you're working in a corporate environment and have wheedled a few additional addresses out of IT, you have some more options. With extra IP addresses in hand, you might be able to go a step further in connecting your internal systems to the Internet. If you bought a block of routable IP addresses from your ISP, you'll need a router at your site to handle routing for those addresses. So far, because I've assumed you have only one IP address, I've discussed only using Win2K's routing function to serve systems on the nonroutable network. But if you have more than one routable IP address, you'll need to configure your PC router to function as a more traditional kind of IP router—a box that receives routable traffic for a number of addresses and then distributes that traffic to other computers on the subnet. RRAS can handle that job—Windows has been able to distribute traffic on the subnet since NT 3.5, although under Win2K you'll need to learn to click your way to routerdom instead of using the old Route Add command.

If you're connecting one subnet to another subnet locally, as you would do in a training lab, then routing is simple—your router PC requires nothing more complex than two Ethernet cards. But if you have a few IP addresses and are connected to a WAN, then you have another problem: figuring out how to connect your router PC to the ISP. The WAN connection can be tricky. Some of you might use modems to connect full-time to your ISP, and of course connecting Win2K to a modem is easy. (Keeping the dial-up connection in place is a bit of a trick, but that's the price you pay for a cheap WAN link.) If your WAN connection is through frame relay or a leased line, you can use a device that lets you directly connect a Win2K box to that WAN link. To the best of my knowledge, however, no way exists to use an NT box to directly connect to DSL, so DSL customers might be out of luck.

After you've connected your router to both networks, it's time to set up the static routes. I'll explain how to do that, as well as how to "glue" an entire routable address to a nonroutable address, in an upcoming column. For more information about NAT in the meantime, see "Related Articles in Previous Issues."

Related Articles in Previous Issues
You can obtain the following articles from Windows 2000 Magazine's Web site at

"Windows 2000's Network Address Translation," February 2000, InstantDoc ID 7882
Inside Out, "Internet Connection Sharing," October 1999, InstantDoc ID 7221