In this age when limited IP addresses conflict with the ever-expanding number of computers attached to the Internet, many companies and home users have had to look for ways to use one IP address to connect their networks to the Internet. Trying to keep such systems secure is a challenge. Enter Network Address Translation. NAT can be a useful tool for home networks and large companies alike. You can configure NAT quickly and easily in Windows 2000 Server, allowing for inexpensive Internet sharing and basic security.
A Crash Course in NAT
NAT is a popular way to share out a common Internet IP address to systems within your network. In its most fundamental form, NAT passes the external valid IP address that your ISP provides to the internal invalid IP address on your system behind your NAT implementation. (By invalid I mean addresses such as those in the 10.x.x.x range or 192.168.x.x range that work fine on internal networks but don't work on the Internet.)
When a system on your internal network requests data (e.g., a Web page), the system sends the request to the Internet. However, the request first passes through the NAT server. NAT then assigns a port through which the system's communications will pass (typically, a high-number port that isn't in use—e.g., 3003) and records the port number in a table. Next, NAT packs up the packet and stamps it with a unique, valid IP address that the packet uses to connect to the Internet. When the Web server receives the packet, the Web server completes the request and sends the packet back to the NAT server because that's the IP address the Web server sees. The NAT server receives the data, reads the return address port that it had previously specified for the packet, and routes the data to the appropriate system on the internal network.
For example, let's say a client sends a Web page-request packet to an external Web server. The packet has the client's internal source address (10.0.1.12). The destination is the Web server's address (18.104.22.168) and port 80. The NAT server receives the packet, chooses a free port number—5002—on its system, then adds an entry in the translation table that links packets coming to port 5002 to client address 10.0.1.12 and port 3003. Then, NAT replaces the source address with its own address and the source port 3003 with port 5002 and puts the packet on the Internet. The Web server receives the packet and responds with the Web page, sending packets to the NAT server on port 5002. The NAT server receives the Web page, replaces the port with 3003 and the destination address with the client's address, then puts the packet onto the internal network.
Cost-Effective Internet Sharing
NAT can be practical for almost any small network that wants to share out its Internet connection. However, NAT doesn't scale up well to larger networks and can become rather ineffective because of the amount of time necessary to process, send, and receive requests from clients within the network. Therefore, you might think that only a home user or a small business can truly benefit from NAT—an assumption that isn't necessarily true. In many situations, NAT can help a large organization with an expansive network.
For example, let's say that a large organization has several small field offices that run on tight budgets. The field offices each need to network 10 systems to the Internet, but budgetary limitations don't let them purchase additional expensive hardware. Those offices could configure their network servers to use NAT. Thus, the small field offices get the Internet sharing they need for little cash outlay.
Many hardware routers include NAT support. Even the new battery of inexpensive small office/home office (SOHO) cable and DSL routers often come with a built-in NAT option. (You can install and configure NAT even if you don't have a broadband Internet connection, although high-speed connections are optimal.) However, what if you don't have the resources to purchase a NAT-enabled Cisco router for your network? What if the NAT-capable inexpensive cable and DSL routers aren't flexible enough to suit your needs (e.g., they can't connect enough systems because of insufficient network connections, they don't have the ability to block specific ports)? In situations such as these, you can turn to your OS for assistance. You can configure NAT in most OSs, including most types of Linux. Even Windows NT 4.0 has the ability to configure NAT, although doing so is often a difficult and cumbersome endeavor. Of the current OSs, Win2K provides one of the best implementations of NAT I've seen. NAT in Win2K is quick and easy to set up as well as fairly flexible in its design.
A word of caution: If you decide to implement NAT in an OS or with additional NAT software, keep in mind that you must secure your NAT server to protect it from attacks. In addition, I recommend that you secure each system behind your NAT server with at least strong passwords and removal of unnecessary services.
NAT Setup and Configuration
Win2K Server provides fairly complete NAT support out of the box and even provides an easy-to-use wizard to help you with basic NAT configuration. In Win2K, you implement NAT through RRAS.
For this example of a basic setup, you need Win2K Server installed with two NICs. Connect one NIC to the Internet and the other to the network. In this example, you can substitute the Internet connection with a dial-up connection or even a direct cable connection. In addition, if you have only one other computer in your network, the connection to the internal network can be a crossover cable connected to a second PC. (Crossover cables are the same as network cables except a few of the wires inside the cable are switched, letting two systems communicate directly, without a network hub or switch.)
I also recommend that you run DHCP for your Internal network systems to make managing connections to your NAT server easier. Make sure that for your DHCP services, you specify the gateway as the internal IP address of your NAT server. In this way, when you've implemented NAT and your systems on the internal network connect to the Internet, those systems will point to the NAT server and thus gain Internet access. Remember that you should never place the server that provides DHCP addresses on your external Internet connection. If the DHCP server is open to the Internet, anyone on the same subnet as the DHCP server and using the same Internet provider could send a DHCP request and possibly hop on to your network without needing to be physically plugged in to it.
To begin configuring your NAT service, first ensure that the server is running and you're logged on as an Administrator. Next, open the RRAS console by clicking Start, Programs, Administrative Tools, Routing and Remote Access. (If you've installed but not enabled RRAS, you might see a red dot beside your server. Right-click the server you're going to use for RRAS, then select Configure and Enable Routing and Remote Access. In the introductory dialog box of the RRAS Configuration Wizard, click Next. The Common Configurations dialog box lists the options that are available. Choose the Internet Connection Server option, then click Next. In the Internet Connection Server Setup dialog box, select the Set up a router with the Network Address Translation (NAT) routing protocol option, as Figure 1 shows, then click Next. The next dialog box displays the two NICs that you installed. Select the NIC that connects to the Internet, then click Next.
Depending on your server configuration, after you've selected the Internet NIC, the wizard requests which NIC you want to use for your internal network connection. The wizard might also display a dialog box stating that the IP address for the internal NIC must be an invalid IP address. If such a dialog box appears, the wizard will either make the change automatically or let you make the change manually. If the option to make the change manually is available, follow the appropriate prompts. Otherwise, click Next, Finish. When you've configured NAT, your NAT server will appear in the Routing and Remote Access console, as Figure 2, page 5, shows.
Securing Your NAT Server
If you've performed the steps I've laid out, NAT starts working right away. If NAT doesn't start right away, reboot both the server and your workstation to refresh all the new settings. Next, use a Web browser on a machine that's on the internal network to try to connect to a Web site. If you can't surf the Web as usual, double-check your Internet connection on the NAT server. If the connection is working, you might have selected the wrong interfaces in the RRAS Configuration Wizard, or you might not have configured your DHCP service with the appropriate information. Double-check your settings in RRAS, then make the appropriate changes.
When your NAT service is functioning properly, you can configure special ports that let data pass to a specific address on the internal network. To configure these ports, right-click the interface (Public or Private) that's connected to the Internet, then select Properties. In the connection's Properties dialog box, click the Special Ports tab, then specify the TCP and UDP ports that you want to open for your clients on the network.
In addition to opening special ports, you can also secure your NAT-enabled server and network by blocking access according to IP address. To block access, open the RRAS console, then locate your NAT server. Double-click the NAT server to display the folders that reside beneath it. Click the General folder to display its contents in the right pane of the RRAS console. At least three entries appear: Internal, External, and Loop Back. Right-click External in the right pane, then select Properties. In the External Properties dialog box, click the General tab. Choose the Input Filters option to open the Input Filters dialog box, which Figure 3 shows. From this dialog box, you can specify network addresses and protocols that you don't want to connect to a particular network or address. Click Add. In the Edit IP Filter dialog box, which Figure 4 shows, use the Protocol drop-down list to see the list of protocols that you can block.
Select TCP from the Protocol drop-down list. Two new text boxes called Source port and Destination port appear. In the Destination port text box, enter 6699, which is the default port that Napster uses. Leave the other settings as they are, then click OK. By following these steps, you tell Win2K to block any inbound connections to the external Internet connection destined for port 6699 from any network to any network. Another good port to block is the nefarious NetBIOS port 139. Blocking port 139 helps prevent a wide number of exploits against NetBIOS on this port.
You can use IP filters on many ports. For example, if you know the IP address range of a particular service, such as @Home, from which you experience a lot of intrusion attempts, consider entering that service's network address information. For more information about configuring inbound ports for various network services (e.g., SMTP, Network News Transfer Protocol—NNTP), see the Microsoft article "How to Configure Input Filters for Services That Run Behind Network Address Translation" (http://support.microsoft.com/support/ kb/articles/q254/0/18.asp).
Here's another tip: If you don't already have a full DHCP service running on your NAT server, you can configure NAT to provide DHCP services by selecting that option after NAT installation. To find this option, right-click your NAT server in the RRAS console, then select Properties. In the NAT Properties dialog box, click the Address Assignment tab, then select the Automatically assign IP addresses by using DHCP check box. NAT will automatically assign the appropriate addresses for your clients. However, depending on the complexity of your network, you might want to use Win2K DHCP services to configure your own DHCP scope.
Beyond being an effective way to connect small to midsized networks to the Internet, NAT can also provide security through a basic firewall design. This method is commonly referred to as "security through obscurity" because the Internet sees only the one valid Internet IP address, not the 30 or 40 invalid IP addresses on the inside. Of course, this obscurity doesn't mean that any systems behind a NAT implementation are automatically safe from a truly determined intruder, but obscuring your systems with NAT can make things quite a bit harder for such an intruder.
Putting NAT to Work in Your Environment
Take some time to set up and configure a NAT implementation on your network or on a test network to learn the ins and outs of this service. Many different applications are available for NAT in small and larger companies as well as in home networks.