Win2K's Internet Connection Sharing or Network Address Translation can pave the way

Working in the network business means dealing with the unpredictable, but no matter the month, season, or year, I can count on one thing: lots of readers asking how to connect small LANs to the Internet. This month, let's revisit the topic and compare some of the new routing capabilities that Windows 2000's Internet Connection Sharing (ICS) and Network Address Translation (NAT) offer small office/home office (SOHO) networks that have a Win2K setup.

If you have a SOHO and want to get your network on the Internet, you first need to jump two hurdles: establishing a persistent connection and assigning multiple addresses. Persistent connection refers to the fact that you can't host a DNS, Web, mail, or other server unless that server connects to the Internet 24 * 7. (You dial-up folks are out of luck, unless you want to try to patch together some kind of automatic dialing system that will try to keep you connected to your ISP.) For this discussion, I'll assume that you connect a Win2K Server machine, which I'll call W2KBOX, to the Internet through Digital Subscriber Line (DSL) or a two-way cable modem and that you also use an Ethernet card to connect W2KBOX to DSL or the cable modem and use a second Ethernet card to connect W2KBOX to the internal network. Don't bother setting IP addresses on the NIC attached to the internal network or to any of the computers on the internal network.

To communicate on the Internet, W2KBOX needs a routable IP address from your DSL or cable-modem vendor. Some vendors assign a static IP address to an Ethernet card; other vendors use DHCP to assign the address. Either way, you usually get only one IP address from a vendor. So how do you share that high-speed Internet connection with the other machines on your internal network? You can't simply make up IP addresses to assign to your other boxes; even if you could convince W2KBOX to route traffic to the Internet from your internal machines, other Internet routers would immediately sense the dubious provenance of your internal network's IP packets and drop those packets in the bit bucket.

You have two Internet sharing options: ICS and NAT. I covered ICS in detail in "Internet Connection Sharing," October 1999, but I'll quickly review that option. Right-click My Network Places, then choose Properties. You'll probably see at least two objects that represent your NICs. (On my system, these objects are labeled Local Area Connection and Local Area Connection 2.) Right-click the object that represents the Internet-attached NIC and choose Properties. On that Properties dialog box, go to the Sharing tab, select the Enable Internet Connection Sharing for this connection check box, click OK, then click Yes on the resulting dialog box.

After a brief delay, ICS will start working. The NIC that attaches to the private network now has the static IP address W2KBOX now runs a simple DHCP server that hands out IP addresses in the private network range of through Set the internal network computers to query DHCP for their IP addresses, then reboot the machines: The machines will get addresses on the network and will look to the system as their default gateway. A ping from any system on the internal network will confirm that the network has Internet connectivity.

However, ICS has several limitations. First, you can't configure any options for ICS's DHCP server. Second, although all your systems can access systems on the Internet, systems on the Internet can't access your machines. If I were to ping your system at (for example) from a computer on the Internet, I wouldn't get a response from your system.

The second limitation might be good from a security standpoint— many people might not see it as a disadvantage at all. But suppose you use an internal Web server to host a terrific site that you want to offer to the public. And suppose you use a different machine to run your mail server (which won't do much good unless it can both send and receive mail). You could, of course, install the Web server and mail server software on W2KBOX, but you might not want one box acting as router, Web server, and mail server. To make this type of situation work, you'll need to abandon ICS in favor of NAT and its support of inbound connections.

NAT is a bit more complex to set up than ICS is. Let's begin by using NAT simply to duplicate ICS's functions. The first order of business is to disable ICS on W2KBOX. Then, assign the address to the NIC that attaches to the internal network.

Next, you must enable RRAS. From Administrative Tools, open the Microsoft Management Console (MMC) Routing and Remote Access snap-in. You'll see an icon representing your Internet-connected computer (e.g., W2KBOX) in the left-hand pane of the MMC screen. (You might need to select Add Server from the context menu before this option is available.) Right-click the icon and choose Configure and Enable Routing and Remote Access to start one of the wizards that seem to permeate Win2K. Click Next to get to the first screen, select Manually configured server (we tough NAT-configuration types take no shortcuts), click Next, then click Finish. Click Yes to confirm that you want to start the service.

By default, RRAS enables a lot of options that you probably don't need, including RAS. Let's shut off all that unnecessary stuff. In the Routing and Remote Access snap-in, right-click the icon that represents W2KBOX and click Properties. Select the Local Area Network (LAN) routing only radio button beneath the Router check box, clear the Remote Access Server check box, then click OK. Click Yes to confirm that you want to restart RRAS.

Next, tell RRAS that you want to create a NAT router. In the Routing and Remote Access snap-in's left-hand pane, open the server object. You'll see an IP Routing object; open it, then right-click General and choose New Routing Protocol. You'll see several options; select Network Address Translation and click OK. Back in the snap-in, you'll see that the left-hand pane now contains, under IP Routing, an object labeled Network Address Translation (NAT). You can now tell NAT to act as a DHCP server, as ICS did. Right-click the NAT object, choose Properties, and go to the Address Assignment tab. The options on this tab let you define the range of addresses that your NAT router will give out to the machines on the private network. Select the Automatically assign IP addresses by using DHCP check box and choose the range of addresses that you want to hand out. Go to the Name Resolution tab, select the Clients using Domain Name System (DNS) check box, and click OK. This approach lets your NAT router act as a kind of DNS proxy. The machines on the private network look to the NAT router to resolve DNS addresses; the NAT router then goes to its local DNS server to resolve those addresses and passes the IP addresses to the internal-network machines.

But don't try to route from the internal network yet. You have one more task: You need to tell NAT which NIC attaches to the internal network and which NIC attaches to the Internet. Right-click the NAT object and choose New Interface; you'll get a dialog box that lists your two NICs. Select the NIC that connects to the Internet, then select the Public interface connected to the Internet radio button, which tells NAT that this NIC is the one that has the routable addresses. Also select the Translate TCP/UDP headers (recommended) check box and click OK. (Translating headers is the only way that NAT can make one TCP/IP address serve many systems simultaneously.) You've told NAT where to find the Internet; now tell NAT which segment to share that Internet connection with. Again, right-click the NAT object and choose New Interface. Select the NIC that connects to the nonroutable network, and this time, select the Private interface connected to private network radio button. Click OK.

Reboot your internal network's systems, and they will see your Internet-connected computer as a DHCP server handing out IP addresses in the subnet. Congratulations; you've used NAT to duplicate ICS's functionality. In my next column, I'll show you how to take NAT further and use it to permit inbound IP connections as well as outbound connections.