Understanding NAT
NAT
is a service built into a router that modifies the header information
in IP datagrams before sending them on to their destinations. This
functionality allows host computers to connect to the Internet by
sharing one or more publicly registered IP addresses on the computer
running the NAT service. The computer on which NAT is configured can act
as a network address translator, a simplified DHCP server, a DNS proxy,
and a Windows Internet Name Service (WINS) proxy. Figure 1 illustrates this service.
You
can configure NAT through a demand-dial interface or through a
persistent connection. A demand-dial interface connects only when a
client requests the connection. A persistent connection can be either a
dedicated line such as a DSL or T1 line or a dial-up interface that
automatically redials when the line is dropped.
Difference Between NAT and ICS |
Like NAT, the
ICS feature built into Windows provides Internet connectivity to hosts
through a single interface—a dial-up or permanent connection—on a
Windows computer. Like NAT, ICS also allows internal clients to preserve
private IP addresses while these clients connect to public external
addresses. Finally, NAT includes a component called Basic Firewall that
blocks all but response traffic from entering the internal network. This
component corresponds to the Internet Connection Firewall service,
which provides the identical function for ICS.
The main difference
between NAT and ICS is configurability. ICS is preconfigured and
automatically sets the internal address of the computer hosting the
shared connection to 192.168.0.1. All internal clients exist on one
physical subnet and are assigned addresses within the 192.168.0.0/24
range. These internal clients point to the ICS computer for DNS
resolution. The external, shared interface is configured with a single
public address.
With NAT, you can
choose any private IP address as the internal address of the NAT
computer, and you have the option of disabling the DHCP server and DNS
proxy capabilities. For example, if you already have the DHCP or DNS
service configured for your network, you can disable these functions
when you configure NAT. If you do configure NAT to provide DHCP service
for internal clients, you can choose any address scope you want NAT
clients to use. In addition, unlike with ICS, you can configure NAT to
work with multiple internal interfaces (although the addresses assigned
to internal clients through these interfaces must all belong to a single
logical subnet).
A final difference
between ICS and NAT is that with NAT, you can configure the external,
shared interface with either a single public address or multiple public
addresses. Multiple public addresses can be useful, for example, when
you want to map various public IP addresses to specific internal
servers.
Tip
When
assigning IP addresses, ICS does not check for conflicts with static
addresses already owned by computers on the network. For this reason,
you should not deploy ICS on a network whose essential servers are
pre-configured with static addresses near the beginning of the
192.168.0.0/24 range. Note also that if essential servers are
preconfigured with static addresses in a different logical address space
(such as 192.168.1.0/ 24), deploying ICS might render those essential
servers inaccessible. Consequently, if in a scenario on the exam, any
essential network services stop functioning after ICS is installed, look
for an option to replace ICS with NAT. |
Table 1 summarizes the features and capabilities of ICS and the NAT routing protocol in Windows Server 2003.
Table 1. Comparison of Translated Connections Features
| Internet Connection Sharing | Network Address Translation |
|---|
| Single check box configuration | Manual configuration |
| Single public IP address | Single or multiple public IP addresses |
| Fixed address range (192.168.0.0/24) for internal hosts | Configurable address range for internal hosts |
| Single internal interface connecting to a single logical subnet | Single or multiple internal interfaces connecting to a single logical subnet |
| Installed using Network And Dial-Up Connections | Installed using Routing And Remote Access console |
| Microsoft Windows 98 Second Edition or later Internet Connection Firewall | Windows 2000 Server or Windows Server 2003 Basic Firewall |
|
ICS has one nice
feature that NAT does not: when configured on a dial-up connection, ICS
does not answer incoming calls. In contrast, if you configure NAT
through a demand-dial interface, that interface instructs the modem to
answer incoming calls after only two rings. This limitation can be
annoying, particularly if you use one phone line for both a shared
Internet connection and voice calls. In this case, if you do not pick up
after only one ring, the modem is likely to screech just as you start
talking to your caller and destroy any possibility of a pleasant chat.
If you cannot use ICS but
still want to use the same phone line for the Internet connection as
for voice calls, you can edit the Registry to pick up the phone after a
high number of rings. To perform this task, open the Registry Editor and
add a REG_DWORD value called NumberOfRings to the following Registry
key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RasMan\Parameters
You can set this
value anywhere between 0 and 20. In a future service pack, the 0 value
might stop the modem from answering at all, but for now, it produces the
same behavior as the 2 value does. If you want to stop the modem from
intercepting voice calls, the best you can do is set the NumberOfRings
value to 20. It’s not a perfect solution, but then again, any caller
rude enough to let your phone ring 20 times without hanging up probably
deserves to be screeched at.
|
Troubleshooting NAT
The
following list provides a conceptual summary of the configuration
requirements for a deployment of NAT and of the associated potential
points of failure. Review this summary and refer back to it as needed to
help you troubleshoot NAT.
NAT
requires that the appropriate external (public) and internal (private)
interfaces be added to the NAT protocol in the Routing And Remote Access
console. Typically, the internal interface is created by default, but
the external interface might need to be created manually before it can
be added. Once both interfaces are added, verify that the public
interface (named Remote Router by default for demand-dial connections)
is designated as the public interface in its properties dialog box
within the NAT/Basic Firewall node. Similarly, the private interface
should be designated as the private interface in its properties dialog
box within the NAT/Basic Firewall node.
NAT
requires that a default static route be added in the Routing And Remote
Access console. For this static route, the destination and network mask
should be configured as 0.0.0.0, the gateway should be set to None, and
the interface should be set to the public (external) interface
connected to the Internet.
NAT
requires that a DHCP service be properly configured for internal
clients. If you have not configured a DHCP server, verify that the DHCP
allocator is enabled on the Address Assignment tab of the NAT/Basic
Firewall Properties dialog box.
For
NAT to be used in conjunction with DNS name resolution, a DNS server
must either be configured on the NAT computer or specified through the
DNS proxy in NAT. If you have not configured a DNS server on the NAT
computer, verify that DNS Proxy is enabled on the Name Resolution tab in
the NAT/Basic Firewall Properties dialog box.
Certain
NAT features require more complex configuration. If you have assigned
an address pool to the external interface, verify that the addresses and
mask have been configured correctly. For special ports, verify the
configuration of the public address and port and the private address and
port.
