Username   Password       Register

Understanding NAT

Network Address Translation (NAT) Overview

The Microsoft implementation of an address translation feature is called Network Address Translation (NAT). NAT can be used to enable computers on a network such as in small offices or home offices (SOHOs) to have a common Internet connection using a single public IP address. NAT translates IP addresses and associated TCP/UDP port numbers on the private network to public IP addresses which can be routed on the Internet. Often, the size of the network and the security requirements of the network would dictate whether NAT is used. Networks that do not require an implementation of a firewall solution or a proxy server solution can use NAT to provide basic Internet connectivity. Through NAT, host computers are able to share a single publicly registered IP address to access the Internet.

With NAT, all outgoing packets are forwarded to the NAT server. At the NAT server, the source address of these outgoing packets are modified, and then forwarded to the Internet. All incoming packets are transmitted to the NAT server. At the NAT server, the addresses of the packets are changed to internal IP addresses, and are then returned to the source which sent the packet.

The computer that has NAT installed can be configured as either of the following:

  • Network address translator server.

  • A basic Dynamic Host Configuration Protocol (DHCP) server

  • A Domain Name System (DNS) proxy.

  • A Windows Internet Name Service (WINS) proxy.

In Routing and Remote Access Service (RRAS), NAT can be used to provide basic Internet connectivity for small offices or home offices. NAT also offers a number of security features which can be used to secure the network resources on your private network. In addition, DNS queries can be sent to a DNS server defined in NAT. NAT also supports a DHCP-compatible IP configuration.

With Windows Server 2003, the NAT server can support the following services or components:

  • NAT - the address translation service/component: Here, the computer on which NAT is installed is the network address translator server. NAT translates outgoing and incoming packets' IP addresses and TCP and UDP port numbers that are transmitted to the Internet.

  • DNS - name resolution component: Here, the computer that has NAT installed acts as a DNS server to other computers residing on the home network. NAT forwards name resolution requests to its defined Internet DNS servers, and then forwards any responses to the particular home network computer.

  • DHCP - IP addressing component: Here, the computer that has NAT installed acts as a simplified DHCP server that assign the IP address information listed below to other computers residing on the home network. The computers residing on the home network have to be defined as DHCP clients though:

    • IP address

    • Subnet mask

    • Default gateway

    • DNS server IP address

The existing network would determine which services you need to enable when you install NAT and configure the NAT server. For instance, if you have existing DNS and DHCP servers, you can still proceed with using these servers when NAT is enabled.

The NAT service is actually integrated with the router that changes the information of the originator in packets prior to them being forwarded to the Internet. NAT can be configured through either of the following components:

  • Demand-dial interface: The connection is only established when the client specifically requests the connection.

  • Persistent connection: These connections are permanent connections, and remain open all the time. Examples of persistent connections is a DSL dedicated line, or a dial-up interface that redials when the connection is lost.

A Windows Server 2003 server configured with either of the following services can act as the NAT server:

  • Routing and Remote Access; a NAT implementation through Routing and Remote Access is the recommended approach.

  • Internet Connection Sharing; should be used for exceptionally small networks only.

As mentioned previously, NAT translates IP addresses and associated TCP/UDP port numbers on the private network to public IP addresses which can be routed on the Internet. When this translation occurs, NAT assigns a unique port number to the session as well. A client computer is mapped to a single public IP address assigned by the ISP of the organization or assigned by the Internet Network Information Center (InterNIC). Through this mapping, NAT is then able to return responses to the correct client computer. Information on these mapping are stored in the NAT Session Mapping table.

The default configuration is that NAT translates IP addresses and TCP/UDP ports in the IP datagrams, which in turn result in the changing of these fields within the IP, TCP, and UDP headers:

  • Source IP address

  • TCP, UDP and IP checksum

  • Source port.

Windows Server 2003 includes support for L2TP/IPSec VPN connections to function with NAT. You can also use a NAT editor for a few applications that do not contain IP addresses/port information within its header.

Windows Server 2003 includes the NAT editors listed below:

  • File Transfer Protocol (FTP)

  • Internet Control Message Protocol (ICMP)

  • Point-to-Point to the Internet

  • Direct Play out to the Internet

  • Lightweight Directory Access Protocol (LDAP) based Internet Locator Service (ILS) registration out to the Internet.

Understanding the Limitations of NAT

There are a few protocols that NAT is unable to perform network address translation for. For NAT to work and perform network address translation, it needs the IP information or port number information in the IP header and TCP header of packets. NAT uses IP addresses and the TCP port and UDP port within the TCP header, UDP header, and IP header to translate NAT traffic. While you can use a NAT editor to translate FTP traffic through a NAT system, this is not true for all protocols. A NAT editor only works for a few protocols such as FTP and PPTP. The protocols that are basically unable to pass NAT, is probably one of the most significant limitations of NAT.

A few limitations of NAT are listed here:

  • When NAT is implemented through Routing and Remote Access, only the IP protocol is supported. The following protocols are protocols that NAT cannot perform address translation on:

    • Simple Network Management Protocol (SNMP)

    • Lightweight Directory Access Protocol (LDAP)

    • Kerberos version 5

    • Component Object Model (COM)

    • Distributed Component Object Model (DCOM)

    • Microsoft Remote Procedure Call (RPC)

  • The latest Microsoft IP Security protocol (IPSec) that provides IP header encryption through Authentication Header (AH) cannot pass over NAT.

  • Domain controllers are unable to replicate over the NAT server.

Understanding How NAT Works

NAT works transparently to clients. This means that clients are not aware that NAT is functioning. A client is basically configured with the address of the NAT server as its default gateway. Hence, when the client sends an outgoing packet, the packet is forwarded to the NAT server.

When the NAT server receives the packet, it performs the following functions:

  1. A connection attempt is made to connect to a public address.

  2. NAT examines the source address and destination address, as well as the TCP/UDP port numbers within the packet header.

  3. The source address, destination address, and port information is stored in the NAT Session Mapping table.

  4. NAT replaces the source address of the packet with the public address of the NAT server. A port number is also assigned.

  5. The packet is sent over the Internet.

  6. Responses from the remote server is sent to the NAT server's public address and assigned port number.

  7. NAT at this stage consults its NAT mapping table to determine whether it should forward the response to the private network.

  8. When the NAT table contains a match, NAT checks which client the response should be forwarded to.

  9. The packet is then modified to reflect the internal private address of the client as its destination address. The port number is changed if required.

  10. The response packet is then sent over the private network to the client that initially sent the packet over the Internet.

The NAT Session Mapping Table

The information contained in the NAT Session Mapping table enables NAT to return responses to the correct client computer.

The information stored in the NAT Session Mapping table is listed here:

  • Protocol; specified as either TCP or UDP, it is the protocol utilized to forward packets.

  • Direction; specified as either inbound traffic, or as outbound traffic

  • Private Address; the internal client computer's private IP address.

  • Private Port; the private port number for the session.

  • Public Address; the public IP address as assigned by the ISP of the organization or by the Internet Network Information Center (InterNIC)

  • Public Port; port number assigned to the session.

  • Remote Address; IP address which the client wants to access.

  • Remote Port; port number assigned to session.

  • Idle Time; for tracking of the entries within the NAT Session Mapping table. Entries are removed when no traffic is sent over the specific connection for a predefined time period.

Understanding the Differences between NAT and Internet Connection Sharing (ICS)

Internet Connection Sharing (ICS) is another feature integrated with Windows that provides Internet connectivity to hosts using an interface. ICS provides a single public IP address to connect to the Internet, fixed address range for hosts, DNS proxy for name resolution, and automatic IP addressing. ICS is also easy to configure.

While a NAT implementation through Routing and Remote Access is the recommended approach, you can use Internet Connection Sharing for exceptionally small networks. You can use ICS to connect the whole network to the Internet. This is due to the ICS feature providing a translated connection - all computers can access resources on the Internet. Much like NAT, when ICS is used, private IP addresses are hidden from the public network. Public external addresses are used over the public network. While NAT includes the Basic Firewall feature that only allows response traffic to be forwarded to the private network, ICS includes the Internet Connection Firewall service for the same functionality.

One of the main features of using ICS is that it is preconfigured. ICS automatically configures the internal address of the computer hosting the shared connection as 192.168.0.1. Internal clients are assigned addresses in the 192.168.0.0/24 address range. Internal clients exist on the identical physical subnet. All internal clients point to the ICS computer for DNS resolution. The shared external interface has a single public address.

With a NAT implementation, the NAT server can be configured with any private IP address as its internal address. You can also disable the DNS proxy and DHCP server features if you have a DNS server and DHCP server configured within your environment. With NAT, you can use multiple interfaces. The shared external interface can be configured with a single public address or with multiple public addresses.

You can install ICS using Network And Dial-Up Connections. NAT is installed through the Routing And Remote Access console.

NAT Design Requirements

A few NAT-specific design requirements are listed here:

  • Define the characteristics of the data passing through the NAT server. Requirements should include data confidentiality and the quantity of data the NAT server should handle.

  • The resources residing in the private network which should be accessible to Internet users.

  • The time duration for which users need access using the Internet connection.

  • The response time for those applications accessing resources using the Internet connection.

  • Router characteristics, including current WAN connections, protocols being used in the rivate network, and placement of existing routers.

  • Future network expansion.

Designing a NAT Strategy

The factors that should be included when you define and design a NAT strategy are listed below:

  • Determine whether NAT is indeed the proper address translation mechanism for your network. Factors to include in this decision should be:

    • Requirements of the users

    • Type of client computers that NAT must support

    • Size of the organization

    • Existing infrastructure

  • Determine which protocols and applications will not be able to pass through NAT. For instance, NAT cannot perform address translation on Simple Network Management Protocol (SNMP) and Lightweight Directory Access Protocol (LDAP).

  • Determine the type of connection which will be used. With a demand-dial interface, the connection is only established when the client specifically requests the connection. With a persistent connection, the connections are permanent connections, and remain open all the time.

  • Determine the private network IP addressing scheme and the number of public IP addresses to acquire.

  • Determine which interfaces are going to be configured with private IP addresses, and which interfaces will be configured with public IP addresses.

  • Determine the optimal number of connections required to ensure availability and improved performance or your NAT solution.

  • Determine whether your implementation of NAT will encompass multiple Internet connections for redundancy purposes.

  • Determine the servers that will be configured as NAT servers.

  • Determine whether NAT will allow Internet users to be able to access resources on the private network.

  • Determine how access to resources on the private network will be assigned and maintained.

  • Determine whether filters will be configured to restrict users located within the private network from accessing the Internet.

  • Determine whether NAT will be performing the following functions in addition to network address translation:

    • Issue IP addresses.

    • Handle DNS resolution requests.

When client computers access resources on the Internet, they use fully qualified domain names (FQDNs) which need to be resolved to IP addresses by DNS servers. You therefore need to determine which method will be used for DNS name resolution for client computes that need to access the Internet.

The methods which you can use to define the DNS server which clients can use to resolve fully qualified domain names (FQDNs) are listed here:

  • You can manually configure each client computer. This method should be utilized if you want to use different DNS name resolution methods for different client computers.

  • You can define the DNS server NAT so that the FQDNs are automatically resolved for client computers.

The advantages and disadvantages of using certain IP configuration methods are discussed now. The information provided can be useful when you need to decide on the IP configuration method to use with your NAT design.

The advantages of using the NAT IP address assignment feature as the IP configuration method are listed here.

  • Misconfigurations are reduced, and hardly any time is required to assign IP configuration information.

  • No additional expenses are needed.

  • Multiple network segments are supported.

The disadvantage of using the NAT IP address assignment feature is that it is only available for DHCP clients.

The advantages of using a DHCP server as the IP configuration method are listed next:

  • Misconfigurations are reduced, and hardly any time is required to assign IP configuration information.

  • Multiple network segments are supported.

The disadvantages of using a DHCP server as the IP configuration method is listed below:

  • The DHCP server can only be accessed and used for IP address assignment by DHCP client computers.

  • Additional expenditure is required for setting up of the DHCP server(s).

The advantages of using Automatic Private IP Assignment (APIPA) as the IP configuration method are listed here:

  • Misconfigurations are reduced, and hardly any time is required to assign IP configuration information.

  • No additional expenditure is necessary.

The disadvantages of using Automatic Private IP Assignment (APIPA) as the IP configuration method is listed below:

  • Not all Windows client computers can use APIPA.

  • APIPA also only supports one segment SOHO or branch office networks.

The advantage of using manual configuration as the IP configuration method is listed here:

  • All Windows client computers can be manually configured.

The disadvantages of using manual configuration as the IP configuration method is listed below:

  • Susceptible to misconfigurations.

  • Extremely time consuming and intricate to manage as the network expands.

NAT Server Placement and NAT Server Requirements

The NAT server should reside on the private network, and should have the following components:

  • One network adapter card configured with the internal private IP addresses connecting the internal private client computers. You can define one or multiple NAT server interfaces to the private branch office network or small office or home office (SOHO).

  • One network adapter configured with the public IP address which connects to the Internet.

A few recommendations for placing NAT servers within your environment are listed here:

  • IP forwarding should not be enabled on the interface of the NAT server which is connected to the Internet.

  • IP routing should be enabled on the interfaces of the NAT server which are connected to private network segments/small office or home office (SOHO).

  • Private network segments/SOHO should be isolated from the Internet.

To improve NAT server performance and optimize your NAT server hardware, consider the following recommendations:

  • Use a dedicated computer to run NAT. When using a dedicated NAT server, you provide the following key features for your NAT implementation:

    • Preventing other services and applications from running on the same computer as NAT means that these services/applications do not use system resources. System resources are dedicated to NAT which in turn provides optimal NAT server performance.

    • You would also be preventing other services and applications from being the cause of the NAT server needing to be restarted, or shutting down.

  • Using a persistent Internet connection would ensure that the NAT server can at all time connect to the Internet.

  • Using a higher data rate Internet connection leads to improved performance of traffic passing through the Internet connection.

NAT Security

NAT does provide some security features that you can use to secure your private internal network and its resources from unauthorized access. Remember that NAT should not be used an alternative to implementing a firewall solution, if necessary.

While NAT security is on the whole sound, you can use the security features provided by NAT to enhance security of your NAT implementation further. The security requirements of the organization should be used as the basis for implementing a few NAT security features.

One of the primary objectives of implementing NAT security should be to restrict inbound traffic on the NAT server.

Routing and Remote Access Service (RRAS) IP packet filters can be used to restrict incoming or outgoing IP address ranges based on information in the IP header. You can configure and combine multiple filters to control network traffic.

A few important characteristics of IP packet filters are listed below:

  • IP packet filters restrict all traffic sent through routers.

  • IP packet filters restrictions are cumulative over multiple routers/interfaces.

Unwanted traffic that should be filtered usually includes:

  • Unauthorized Internet users attempting to access resources on the private network.

  • Applications/games which are not supported by your organization.

When to use IP packet filters:

  • To restrict traffic being sent to, or from a specific computer, you can filter on source/destination IP address range.

  • To restrict traffic coming from, or being sent to a specific IP address range of a network segment, you can filter on source/destination IP address range.

  • To restrict traffic being transmitted to/from a particular application, you can filter on protocol number.

With NAT, you can configure two types of IP packet filters. When defining criteria for the packet filters, you can use whatever combination of IP header information.

The types of IP packet filters configurable for NAT are:

  • Inbound IP packet filters: Here, traffic is filtered based on the IP address of the workstation attempting to access the private network. NAT by default drops all inbound requests to access private network resources. Therefore, you need to specifically allow access to private network resources using some additional configuration.

  • Outbound IP packet filters: These filters are used to filter or restrict traffic attempting to access the Internet.

There may be occasions when you want specific Internet users or VPN users to access resources on the private network, or access a Web server residing on the private network. The methods which you can utilize to map external public IP addresses and ports to private IP addresses and private ports so that internal private resources can be accessed are discussed here:

  • NAT address mappings: You can use a special port to map specific Internet users to resources within the private network, and in doing so, provide Internet users with access to resources residing within the private network. A special port can be defined as a static mapping of a public IP address and port number combination to a private IP address and port number. Administrators can configure a NAT address mapping for each specific private network resource that Internet users are allowed to access. The actual number of private network resources that you can make available to Internet users to access is determined by the number of TCP/UDP port numbers.

  • NAT address pools: The NAT address pool feature can be used to allow VPN users and Internet users to access private network resources. The NAT server requests for one of the public IP addresses with a specific TCP/UDP port number to resources in the private network.

    A few basic rules for using NAT address pools are listed here:

    • Administrators must provide the private network IP addresses of the servers which the NAT server can connect users to.

    • Administrators have to implement a port restricting strategy to limit the traffic that is allowed to access the private network.

 

blog comments powered by Disqus

Discuss Understanding NAT in the forums.

 
(0 - user rating)