Get Connected with NAT

Windows 2000 makes it easy for small networks to get their share of the Net. Here’s how to implement it on those systems.

• By Michael Chacon
• April 01, 2001

Last month I discussed the basic concept of Network Address Translation (NAT) and how it’s generally used to address the problem of address space, which has been diminishing with the growing numbers of devices attaching themselves to the Internet. We built a frame of reference for the discussion I want to cover this month: how NAT is implemented in Windows 2000 and the steps necessary to install it on your system.

NAT in Win2K
In Win2K, NAT is a component of the Routing and Remote Access service and it’s closely tied to the TCP/IP protocol stack. This integration is manifested through supporting address mappings along with dynamic and static port mappings as the packets flow in and out of the NAT interface between the private and public networks.

When an IP device attempts to reach an address that’s external to the private network, the IP Router Manager directs the packets through NAT. NAT determines if there’s an existing mapping that can be used for this source address. If a mapping exists, then NAT translates the address or port information necessary for the return traffic to find the source device.

The number of public addresses available for mapping determines whether a port number or complete address is used. If there are multiple addresses, then one is used as the mapping partner to the private internal address. If there’s only one public address available, then one of the port numbers of that address is used to map to the internal private address, which is called Port Address Translation (PAT). If your NAT server is using multiple addresses, it’ll go through the PAT process automatically when it runs out of public address space, which will be transparent to the user.

Check, Double Check
The next step in this process is for NAT to look for the need for any registered editors. As I mentioned last month, the editors are used to modify address information that’s contained in the data portion of the packet. If necessary, the packets are modified appropriately and a new checksum is generated so the resulting frame isn’t discarded by standard IP error checking. The packet is then forwarded to the external interface, and it proceeds across the Internet as with any other packet. The destination device won’t be aware that the packet has been modified and will respond using the NAT interface as the ultimate source address.

When the response traffic is received by the NAT interface, the process is reversed—except when it checks for an existing mapping. If one doesn’t exist, the packet is discarded instead of creating a mapping. This characteristic is commonly used as a security enforcement point when a NAT network component is considered part of a security design.

As you can see, the NAT process in Win2K closely follows the generic NAT behavior I discussed last month. As you can also imagine, unless there’s a solid understanding of IP addressing, including subnet masking, an organization can bump into some serious issues that’ll affect the successful connection of its network to the Internet. In order to ease some of these problems, Win2K combines some complementary services with its NAT implementation.

At Your Service
There are two robust services that are very useful to any IP network and have scaled-down versions integrated into the Win2K version of NAT. One of these services is the DHCP allocator, and the other is a DNS proxy service. Both were added to the NAT software to help simplify the configuration needs of smaller networks (such as SOHO environments) where there may be a lack of on-site expertise.

The DHCP allocator service is a mini DHCP server that provides the minimum amount of information for a client to participate on an IP network. Unlike a full-featured DHCP server, the information dispensed by the NAT DHCP allocator is limited to the following:

• Subnet mask
• Default gateway
• DNS server
• Renewal time
• Rebinding time
• IP address lease time
• DNS domain

These are the only options available with this mini version of DHCP, and it only supports one set or scope of addresses. As you can see, the NAT DHCP allocator doesn’t supply service for a network of any significant size, but it does address the needs of very small networks. If you have a network that requires multiple scopes and the other functions in a full DHCP server, you’ll need to disable the DHCP allocator component of the NAT software and install a full version of the DHCP server.

NAT uses the DNS proxy to provide basic name-resolution service by passing the resolution requests to a regular DNS server that’s configured for the NAT device’s IP stack. This is usually going to be the DNS server that’s provided by your ISP. By providing this function, a small organization doesn’t have to have any more expertise in DNS than it would need to configure an IP stack per its ISP’s instructions. As with the DHCP allocator, the NAT DNS proxy isn’t needed if you have a full-featured DNS system.

Nuts and Bolts
When you install Win2K Server, the NAT software components are installed automatically, but they’re disabled by default. Before you enable the NAT software, make sure you have the hardware necessary to have an interface on your internal network and an interface on your external network. For example, you may need an Ethernet NIC on your internal private network and an ISDN adapter for the connection to your ISP. After you’ve installed the appropriate hardware, select the Start | Administrative Tools | Configure Server menu option to bring up Figure 1.

Figure 1. Once you ensure that you’ve installed the required hardware, you can begin the process of configuring your server and obtain further information regarding remote access.

You’re provided with information regarding Remote Access and an option to learn more about it, which will open the fairly detailed help files. When you click on the Open Routing and Remote Access, the screen in Figure 2 is presented.

Figure 2. Opening the Routing and Remote Access Welcome Window guides you to the Action menu option to begin server configuration.

Select the Action menu option and you’ll see a Configure and Enable Routing and Remote Access screen, which brings up an installation wizard. The first important screen displays several configurations available for the router software. After you select one of the configurations, such as Internet Connection Server, you’re allowed to choose a “minified” version of NAT, called Internet Connection Sharing (ICS), or the fully configurable version of NAT as shown in Figure 3.

Figure 3. Once you begin the installation wizard, you can choose either ICS, which is a limited version of NAT, or a fully configurable version of NAT.

Keeping it Simple
ICS is for very, very small networks and doesn’t allow any configuration changes, including disabling the DHCP allocator or even the range of private IP addresses. This is for those organizations that simply want the devices on its small network to access each other and the Internet. They may not have anyone available to understand how the IP protocol works — or wouldn’t gain any benefit from the otherwise resulting complexity. They can just enable ICS, configure all workstations for DHCP and get to work. However, if, for example, you have any other domain controllers, DNS or DHCP servers, or even other statically addressed devices on your network, you need to select NAT and bypass the rigidity of ICS. Under the covers, they provide the same functionality. ICS is just a static configuration of NAT.

After you choose NAT and press Next, the available interfaces are displayed, showing you the type of connection, the IP addresses of each connection, and the logical name of the interface (Figure 4). Here you can choose a synchronous connection or create a dial-up asynchronous connection to your ISP. After you select either a demand-dial connection or two physical connections as shown in Figure 4, you’re presented with a final screen and the service is enabled.

Figure 4. Once you’ve chosen NAT, the available interfaces are displayed, showing you the type of connection, the IP addresses of each connection and the logical name of the interface.

When you return to the Routing and Remote Access menu option, you can see the new options related to routing to configure (Figure 5).

Figure 5. Once you’ve chosen your connection and enabled the service, the Routing and Remote Access menu offers you new routing options.

I’m interested in the NAT component, so I’ve selected the Properties page of that in the Routing and Remote Access administrative tool. This brings up the general configuration options for NAT.

Setting up Shop
The General tab lets you enable the logging of events and warnings. The Translation tab allows you to set the length of time that dynamic mappings for TCP and UDP packets will last. This is also where you can control access to specific applications by reserving their port numbers. The Name Resolution tab allows you to turn on the DNS proxy software. The Address Assignment tab (Figure 6) is where you can enable the DHCP allocator and set the internal private IP address of the NAT server itself. You can also exclude any static addresses that you may have configured on the internal private side of the network. At the main Routing and Remote Access administration interface tool (Figure 7), you can manage each interface independently. By right-clicking on Properties, I can now configure Cox Cable, which is the public interface on this machine. This brings up Figure 8.

Figure 6. NAT’s Properties tabs lead to a variety of options, including address assignment, which lets you enable the DHCP allocator and set the internal private IP address of the NAT server itself.

Figure 7. The Routing and Remote Access administration interface tool allows you to manage each interface independently.

Figure 8. Via the Properties page, you can configure the public interface on the machine and confirm your settings.

The general tab displays that this, indeed, is the public interface and that header translation is enabled. The address pool tab allows you to enter a range of public addresses available for translations mapping. There’s also an option to create any static mappings that you might want to create as shown in Figure 9.

Figure 9. You can create any static mappings and reserve an IP address from the public address pool for a specific computer on the private network.

The Port Tab is used when you have only one public address available, which, of course, is the one bound to the public interface. Here you can create any port mapping assignments that you want to make statically.

Additional Information

To learn more about NAT, including troubleshooting techniques, check out the Windows 2000 Resource Kit Internetworking Guide, Chapter 3, “Unicast IP Routing.”

While the basic setup of NAT is fairly straightforward, you need to have an understanding of the applications you want available or to be able to reach through NAT. The main piece of information you usually need to consider is the port number, or numbers, that the applications use to identify themselves in the TCP or UDP sessions. I’d recommend that you fully test your NAT configuration with any applications you need in an isolated environment before moving it into production.

That said, I’d encourage you, particularly if you’re in a small organization, to explore and take advantage of the possibilities and flexibility that NAT can bring to your network. Also, keep in mind that in this scenario the Win2K server was directly connected to the Internet sans security. So be sure to keep yourself (and your network) protected. Enjoy!