Network address translation offers the ability to share one internet connection with a public ip address with various computers that use private ip addresses.
Public addresses are addresses that are assigned by the InterNIC. These addresses are unique on the internet. Private addresses are addresses that could be used on the internal network. They can be used for machines that do not directly access the internet. (See RFC 1918) The following ranges of private ip addresses can be used :
| 10.0.0.0 - 10.255.255.255 subnet 255.0.0.0 |
| 172.16.0.0 - 172.31.255.255 subnet 255.240.0.0 |
| 192.168.0.0 - 192.168.255.255 subnet 255.255.0.0 (default used by NAT) |
These private addresses cannot be reached via the internet as they are not known within the internet routers. The clients using these addresses should use a proxy server or NAT to reach the internet.
You can install NAT as a routing protocol in the Routing and Remote Access snap-in.
NAT consists of the following components :
| Translation component. This component translates ip addresses and tcp/udp packets port numbers that are transfered between the private network and internet. | ||||||||||||||
| Addressing component. This component is called the DHCP allocator. It
provides ip addresses to the clients on the network by acting as a simplified
DHCP server. It provides the clients the following data :
|
You cannot modify or extend these options. The DHCP allocator does not support more than one scope, superscopes or multicast scopes.
| Name resolution component. The NAT server acts as a DNS proxy for the clients. It forwards the DNS requests of the clients to the internet DNS server. |
NAT can use static and dynamic mappings. A static mapping is used when the internal client (private ip address) and the public internet address are always the same. Dynamic mappings are created when a client on the internal network (private ip address) makes a connection with the internet. In this case an entry is created in the NAT mapping table. If these entries are not refreshed, they are removed from the mapping table. The default time-out for TCP connections is 24 hours, the default time out for UDP connections is 1 minute.
When NAT translates IP addresses and TCP/UDP ports, the following fields in the IP, TCP and UDP headers are modified :
| Source IP address |
| TCP, UDP and IP checksum |
| Source port |
As there are protocols and application that also carry IP or port addressing within their headers, NAT editors are required. These editors translate the additional IP information in the headers. Windows 2000 contains NAT editors for :
| ICMP |
| FTP. FTP stores ip address information in the FTP header. |
| NetBIOS of TCP/IP |
| PPTP |
The NAT routing protocol includes proxy software for the following protocols :
| Direct play |
| H.323 |
| LDAP based Internet Locator Service (ILS) registration |
| Remote procedure call |
If there is no NAT editor available for a protocol or application, you can transport the data in a tunnel via the L2TP or PPTP protocol.
Process of handling outbound traffic :
| NAT checks if there is already a static or dynamc mapping. If not, a new dynamic mapping is created. |
| When creating the new dynamic mapping it checks if there are multiple public ip addresses are avaible. If there is still one available that public ip address is used. In this situation the ports are not translated. If there is only one public ip address available or if all public ip addresses are already used, NAT request a unique TCP or UDP port for the mapping. |
| NAT checks if a NAT editor is needed. If so, the NAT editor modifies the packets. |
| NAT translates TCP or UDP, modifies the source port if needed and updates the checksum. |
You can install NAT by using a wizard when installing the Routing and Remote Access service. If RRAS is already installed you can install NAT via the following steps :
| Configure the ip address of the home network interface with the ip address of 192.168.0.1, subnet mask 255.255.255.0 and no default gateway. If you choose to use another ip address, e.g. 10.0.0.1 or 172.16.0.1, you have to change address range that is assigned to the clients. | ||||||||||||
| Enable routing on the dial-up port. If you are using a permanant internet
connection that appears like a LAN interface or a router connected to the
internet, create a default static route on this interface. The destination and
network mask should be 0.0.0.0. If you are using a demand-dail interface, you first have to create dail-up connection that is enabled for routing. | ||||||||||||
| Add the NAT protocol via the Routing and Remote Access snap-in. Select the server, ip routing and general. Right-click on General to add a new routing protocol. | ||||||||||||
| Add the home- and internet network interface to the NAT routing protocol. | ||||||||||||
| Enable NAT addressing and name resolution via the Routing and Remote Access snap-in. Right-click NAT to select Properties. In the Address Assignment tab select 'Automatically assign ip addresses by using DHCP' and configure the DHCP range. | ||||||||||||
| If you are using multiple public ip addresses, you have to configure Address Pool tab of the NAT properties. | ||||||||||||
| If you want to allow inbound connections, you have to take the following
actions :
|
After NAT is installed you can customize it on the following tabs :
| General
| ||||||||
| Translation
| ||||||||
| Address assignment
| ||||||||
| Name resolution
|
NAT does not work with Ipsec of Kerberos.
| Developing NAT friendly applications |
| Overview of Network Address Translation in Windows XP |
Last update : 30 March 2002
