NAT in Windows 2003: Setup and Configuration
NAT acts as a middle man between the internal and external network; packets coming from the private network are handled by NAT and then transferred to their intended destination.
A single external address is used on the Internet so that the internal IP addresses are not shown. A table is created on the router that lists local and global addresses and uses it as a reference when translating IP addresses.
NAT can work in several ways:
An unregistered IP address is mapped to a registered IP address on a one-to-one basis - which is useful when a device needs to be accessed from outside the network.
An unregistered IP address is mapped to a registered IP address from a group of registered IP addresses. For example, a computer 192.168.10.121 will translate to the first available IP in a range from 18.104.22.168 to 22.214.171.124.
A form of dynamic NAT, it maps multiple unregistered IP addresses to a single registered IP address, but in this case uses different ports. For example, IP address 192.168.10.121 will be mapped to 126.96.36.199:port_number (188.8.131.52:1080).
This when addresses in the inside network overlap with addresses in the outside network - the IP addresses are registered on another network too. The router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.
How NAT works
A table of information about each packet that passes through is maintained by NAT.
When a computer on the network attempts to connect to a website on the Internet:
- the header of the source IP address is changed and replaced with the IP address of the NAT computer on the way out
- the "destination" IP address is changed (based on the records in the table) back to the specific internal private class IP address in order to reach the computer on the local network on the way back in
Network Address Translation can be used as a basic firewall – the administrator is able to filter out packets to/from certain IP addresses and allow/disallow access to specified ports. It is also a means of saving IP addresses by having one IP address represent a group of computers.
Setting up NAT
To setup NAT you must start by opening the Configure your server wizard in administrative tools and selecting the RRAS/VPN Server role. Now press next and the RRAS setup wizard will open. The screen below shows the Internet Connection screen in which you must specify which type of connection to the Internet and whether or not you want the basic firewall feature to be enabled.
Press next to continue. The installation process will commence and services will be restarted, after which the finish screen will be displayed - showing what actions have taken place.
Configuration of NAT takes place from the Routing and Remote Access mmc found in the Administrative Tools folder in the Control Panel or on the start menu.
The screenshot below shows the routing and remote access mmc.
Select which interface you wish to configure and double click it. This will bring up the properties window giving you the option to change settings such as packet filtering and port blocking, as well as enabling/disabling certain features, such as the firewall.
The remote router (set up previously) properties box is shown below. The NAT/Basic Firewall tab is selected.
You are able to select the interface type – to specify what the network connection will be. In my example I have selected for the interface to be a public interface connected to the internet. NAT and the basic firewall option have also been enabled. The inbound and outbound buttons will open a window that will allow you restrict traffic based on IP address or protocol packet attributes. As per your instructions, certain TCP packets will be dropped before they reach the client computer. Thus, making the network safer and giving you more functionality. This is useful if, for example, you wanted to reject all packets coming from a blacklisted IP address or restrict internal users access to port 21 (ftp).
For further firewall configuration, go to the Services and Ports tab. Here you can select which services you would like to provide your users access to. You can also add more services by specifying details such as the incoming and outgoing port number.
The list of services shown in the above screenshot are preset. Press Add to bring up the window that will allow the creation of a new service or select an available service and press Edit to modify that service. You will be asked to specify the name, TCP and UDP port number and the IP address of the computer hosting that service.
If the services in the list aren’t enabled then any client computer on the Windows 2003 domain will not be able to access that specific service. For example, if the computer was configured as shown in the image above and a client computer tried to connect to an ftp site, he would be refused access. This section can prove to be very useful for any sized networks, but especially small ones.
That concludes this article. As you have seen, Network Address Translation is a useful feature that adds diversity and security to a network in a small to medium sized company. With the advent, and implementation, of IPv6 still in its beginning stages, we can expect to see NAT being used for many years to come.