Contents

Overview 1
Introducing NAT 2
Designing a Functional NAT Solution 6
Securing a NAT Solution 13
Enhancing a NAT Design for
Availability and Performance 19
Discussion: Enhancing a NAT Solution 20
Lab A: Designing a NAT Solution 22
Review 30 Module 6: NAT as a
Solution for Internet
Connectivity Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.


Lead Product Manager, Development Services: Bo Galford
Lead Product Manager: Ken Rosen
Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective
owners.
Module 6: NAT as a Solution for Internet Connectivity 1 Overview
 Introducing NAT
 Designing a Functional NAT Solution
 Securing a NAT Solution
 Enhancing a NAT Design for Availability and
PerformanceWhen an organization decides to connect to the Internet, a primary
consideration is how to provide Internet access for users on the private network
while protecting private network resources. In Microsoft
® Windows® 2000, the
Network Address Translation (NAT) protocol that is provided by Routing and
Remote Access provides a solution for Internet connectivity, and protects the
resources of private networks.
NAT is an appropriate solution for Internet connectivity requirements for
organizations that have limited security requirements and a relatively small
number of users within each location.

Module 6: NAT as a Solution for Internet Connectivity 3
Design Decisions for a NAT Solution
 Same Security Requirements for All Users
 Nonrouted Private Network
 Required Private Addressing
Internet
NATYou must base your decision to use NAT as an Internet connectivity solution on
the size of the private network and the security requirements of the
organization. NAT is an appropriate solution for Internet connectivity when:
 Internet access and access to the private network is not restricted on a user-
by-user basis.
 The private network consists of any number of users in a nonrouted
environment.
 The organization requires private addressing for the computers on the
private network.

4 Module 6: NAT as a Solution for Internet Connectivity
Features of NAT
 Translate Public and Private Addresses
 Supply IP Configuration to Clients
 Forward Name Resolution Requests

Note
Module 6: NAT as a Solution for Internet Connectivity 5
Protect Private Network Resources
NAT protects private network resources from Internet-based users by enabling
communications with a specific port on a specific private network IP address.
To provide this protection, NAT uses address pools and special ports. The
NAT server forwards requests from Internet-based users to the computers on
the private network that manage the resource.
Integrate into Existing Networks
When you integrate NAT into existing networks, consider that NAT:
 Supports automatic IP configuration of client computers that use DHCP for
configuration.
 Provides IP configuration. You must ensure that DHCP servers do not
provide IP configuration for the private network.
 Supports only the IP protocol, not any other routable protocols such as
Internetwork Package Exchange/Sequenced Packet Exchange (IPX/SPX).
 Cannot perform address translation on certain protocols.
The following is a list of protocols that are not supported by NAT:
• Simple Network Management Protocol (SNMP)
• Lightweight Directory Access Protocol (LDAP)
• Component Object Model (COM) or Distributed Component Object
Model (DCOM)
Many applications may use DCOM to communicate between clients and
servers in a multi-tier solution.
• Kerberos Version 5
The Active Directory
™

resolution feature options.

Module 6: NAT as a Solution for Internet Connectivity 7
Integrating NAT into the Existing Network
 NAT Server Placement on the Private Network
 Interface Address and Subnet Mask Selection
 Interface Data Rate and Persistence Selection
P
r
i
v
a
t
e

N
e
t
w
o
r
k
Internet
NAT
LAN Interface
Demand-Dial Interface


to the interface.
 The subnet mask assigned to the NAT server interface must match the
subnet mask that is assigned to the network segment that is directly
connected to the interface.

Select the Interface Data Rate and Persistence
Each NAT server interface connects to a private or public network segment.
These network segments can be persistent or non-persistent. In addition, the
data rates for these network segments can vary considerably. You need to
specify the data rate and persistence for each NAT server interface so that the
NAT server can connect to private and public network segments.
Interfaces that connect to private network segments
Private network segments are based on local area network (LAN) technologies
that are persistent interface connections. The data rate of the private network
segment is determined by the LAN technology, such as 100 megabits per
second (Mbps) data transfer rate for 100 Mbps Ethernet.
Interfaces that connect to public network segments
Public network segments are based on LAN and demand-dial technologies that
can be persistent or non-persistent. Public network segments that appear to the
NAT server as LAN interfaces are persistent, and the data rate is determined by
the LAN technology.
Public network segments that appear as demand-dial interfaces are non-
persistent, and the data rate is determined by the underlying technology. An
example of this would be a 56 Kbps dial-up modem connection that supports a
maximum data rate of 56 Kbps.
When the public network segments are based on LAN technologies, you can
include demand-dial interfaces, such as a VPN connection over a digital
subscriber line (DSL) connection. Include a demand-dial interface in your
solution when:
 An exchange of credentials, such as VPN tunnel authentication, is required

 Private network consists of a single, nonrouted subnet.

You must configure the NAT client computers on the private network such that
they automatically obtain their Transmission Control Protocol/Internet Protocol
(TCP/IP) configuration. When the computers on the private network are started,
the NAT server configures the TCP/IP options of the computers.
10 Module 6: NAT as a Solution for Internet Connectivity
The following table lists the TCP/IP options and associated TCP/IP settings that
are configured on the DHCP client computers.
This option Is set to

IP address An IP address from the range of 192.168.0/24.
Subnet mask 255.255.255.0.
DNS server The IP address of the NAT private network interface, which
is typically 192.168.0.1.

You can also use Automatic Private IP Addressing (APIPA) in Windows 2000
and Microsoft Windows 98 to automatically configure computers on the private
network. When you use APIPA, you must manually select the IP address of the
private network interface for the NAT server from the range of APIPA
addresses.

If you enable the automatic IP addressing feature, ensure that DHCP
servers do not provide IP configuration for the private network because the
DHCP servers and the NAT server would both attempt to configure the
computers.


A firm represents a number of electronic component manufacturers. The central
sales office is located in London with regional representatives located
throughout the United Kingdom. The regional representatives conduct business
from their homes.
Each regional representative currently has one computer running Microsoft
Windows 95 that uses a direct dial-up connection to a remote access server in
the London central sales office to place orders. In addition, the representatives
also connect to the Internet, through local Internet service providers (ISPs), so
they can view product information from the electronic manufacturers they
represent.
12 Module 6: NAT as a Solution for Internet Connectivity
Questions
1. The London central sales office is upgrading the order entry and tracking
order system to a Web-based solution that uses distributed Microsoft SQL
Server
™
version 7.0 databases. The new order system requires the regional
representatives to add an additional computer running Windows 2000
Advanced Server and SQL Server 7.0. The order entry system updates order
information over the Internet in real time, so a permanent Internet
connection is required. What solutions that use the NAT services in
Windows 2000 could you recommend to the company? 2. The director of sales for the firm is evaluating contact management software
for use by the regional representatives. The software would allow the
regional representatives to manage customer contact information, and allow
Restricting Internet Traffic by Using IP Filters
 Restrict by Using Routing and Remote Access IP Filters
 Apply Filters to Internet or Private Network Interface
 Filter all Traffic Based on IP Address and Protocol
Private
Network
Outgoing
NAT
Central
Office
Internet
Incoming
NAT
NAT
Partner
Network
Web
ServerTo restrict access to the Internet or to the private network, you can specify
unique Routing and Remote Access IP filters for each NAT interface. These
filters are based on an incoming or outgoing IP address range and protocol. You
can add multiple filters for each NAT interface to create a combination of filters
that address any security requirements. Routing and Remote Access IP filters
provide similar security to firewall filters.
You can specify Routing and Remote Access IP filters that restrict:
 Internet-based user access to private network resources.

filters assigned to the NAT interface.
16 Module 6: NAT as a Solution for Internet Connectivity
Allowing Access with Address Pools and Special Ports
 Use the Default—All Computers Are Inaccessible
 Reserve Addresses from the Address Pool
 Define Special Port Mappings
Internet
Remote
User
Special Port
Mapping
NAT
Web
Server
Private
NetworkYou can allow access to specific computers and applications within the private
network by reserving IP addresses from the NAT Interface address pool, or by
creating special port mappings.
Use the Default—All Computers Are Inaccessible
By default, NAT discards any Internet-based requests to access computers
located within the private network. As such, all computers on the private
network are inaccessible from the Internet in a NAT solution. Choose the
default configuration when users on the:
 Private network require access to Internet sites.

Define Special Port Mappings
When the NAT solution includes only one public IP address, you must define
special port mappings within Routing and Remote Access to enable private
network resource access. Special port mappings enable NAT to examine the IP
address and port number of Internet-based requests. NAT then forwards the
requests to a specific IP address and port number of a resource server within the
private network. For each resource that you share with the Internet, you must
define separate special port mappings in Routing and Remote Access.
Note
18 Module 6: NAT as a Solution for Internet Connectivity
Enhancing NAT Security with VPN
 Supports PPTP Tunnels
 Provides User Level Authentication
 Supports Inbound and Outbound Connections
Internet
Partner
Network
VPN
Server
NAT
Remote
User
VPN
Server
Private
Network
VPN

the local private network.
Allow access to resources outside the local private network. VPN tunnels that use Layer Two Tunneling Protocol (L2TP) are not
supported because IPSec can encrypt the IP header and NAT cannot perform
address translation.

Note
Module 6: NAT as a Solution for Internet Connectivity 19
Enhancing a NAT Design for Availability and Performance
 Dedicate a Computer to NAT
 Select Persistent Internet Connections
 Provide Multiple Internet Connections
P
r
i
v
a
t
e

N
e
t
w
o

connections
Preventing a lack of
availability for dial-up
connections, such as by busy
signals.
Eliminating the time required
to establish a nonpersistent
connection.
Providing multiple
Internet
connections
Providing redundant
connections to the Internet in
the event one of the
connections fails.
Distributing the traffic across
the multiple connections to the
Internet.

20 Module 6: NAT as a Solution for Internet Connectivity
Discussion: Enhancing a NAT Solution
Edinburgh
Glasgow
Dublin
London
Belfast
Birmingham


2. After analyzing the traffic with a protocol analyzer, such as Network
Monitor, you have discovered that the updates to the SQL Server 7.0
database in the London central sales office are not encrypted. How could
you ensure that the database updates are encrypted? 3. Allowing customers to access the Web-based order entry and order tracking
system has significantly degraded the performance of the NAT server. What
strategies could you use to improve the performance of the NAT solution?
22 Module 6: NAT as a Solution for Internet Connectivity
Lab A: Designing a NAT Solution Objectives
After completing this lab, you will be able to:
 Evaluate a scenario to determine the requirements that affect a NAT
solution
 Design a NAT solution to fulfill the requirements of the scenario.

Prerequisites
Before working on this lab, you must have:
 Knowledge of the design decisions required in creating a NAT solution.
 Knowledge of the design decisions that enhance the security, availability,

to make account payments and submit service requests over the Internet.
 Support for all mission-critical applications to be available 24-hours-a-day,
7-days-a-week.
 Internet connections installed in the home office, but not connected to the
home office network.