NAT Simplified : Configuring and Deploying Network Address Translation

NAT - Network Address Translation, is a term that comes across regularly in the production environment. Here, I would like to explain the steps that you need to follow, in order to implement NAT in a Windows 2003 Server. The steps are fairly simple and if you already have a public address, you can set it up in less than an hour.
Basically, there are two benefits in using NAT:

• It allows to secure our internal IP addressing scheme.
• It also allows to save costs, because we don’t need to purchase a public IP address for each host in the network. We can hide several machines under a NAT server, which is configured to use a single public IP address. If you had to purchase or reserve an IP address for each computer and host in the internal networks across the globe, there would practically be no IP address left.

Before going into the steps for implementing NAT, it will be useful to know how a NAT server modifies the outgoing and incoming packets.

• The client machine generates a request and sends it to the NAT server. Let’s assume that the packet is intended to port 80 at 206.xx.xx.xx.
• The NAT server scans the packet and creates an entry in the NAT table, which ties the real destination address and the port number to its origin and a substitute port number, that it chooses in random. It also replaces the source IP address in the packet with its own address, so that, replies from 206.xx.xx.xx will reach the NAT server.

The NAT table is the key to the whole process, because it associates the original source address and port with the destination address and port. When a packet arrives at the NAT server, it redirects it to the machine which actually generated the request, using the information in the NAT table.

NAT allows to secure our internal IP addressing scheme, and also to save costs, because we don’t need to purchase a public IP address for each host in the network.

Installing NAT Using the RRAS Console

In Windows, NAT is actually treated as another routing protocol that you install using the Routing and Remote Access Service (RRAS). You can open the RRAS snap-in by clicking: Start > Administrative Tools > Routing and Remote Access.
Note : You should have at least two network interfaces available on your computer for this; One for the public side and the other for the private side.
If you’ve already configured RRAS to handle some other feature, then you will need to configure NAT without deactivating RRAS, or it can lead to wiping out its configuration information.
Now, I’ll mention the steps that you need to follow if you have already configured RRAS to handle some other feature like IPX routing.

1. In the RRAS snap-in, locate the server on which you want to enable NAT. If the icon has a small red downward arrow, right-click on it and choose the “Enable And Configure Routing and Remote Access Service” command. Also, choose the option for NAT/basic firewall in the RRAS Wizard to complete the NAT installation.
2. Otherwise, right-click on the “General node” under IP Routing and select “New Routing Protocol“.
3. In the “New Routing Protocol” dialog box, select the NAT/Basic Firewall option and click OK.
4. You can see that a new node called NAT/Basic Firewall now appears under IP Routing.

Adding and Removing NAT Interfaces

Before you can use NAT on your local network, you have to add a NAT interface using the RRAS console.
Note: You have to distinguish between adapters that are connected to your local network and those connected (or that can connect) to the Internet, when adding a NAT interface.
Adding a NAT Interface

First, create an interface for your local network adapter.
Next, create the Internet adapter interface.

You can do this as follows.

• Right-click on “NAT/Basic Firewall” and choose “New Interface“.
• The “New Interface For Network Address Translation” dialog box comes up. Select the adapter that you want to use and click OK.

Setting NAT Interface Properties

Each NAT interface has its own set of properties. We can edit the properties by right-clicking an interface and choosing the Properties command on the context menu.
The relevant options to our discussion are: the NAT/Basic Firewall, Address Pool, Services And Ports tabs. Under each tab, I will explain the options that we need to be concerned about.

The NAT table is the key to the whole process, because it associates the original source address and port with the destination address and port.

The NAT/Basic Firewall Tab:
The NAT/Basic Firewall tab allows you to designate what kind of NAT interface it is.

• The “Private Interface Connected To Private Network” radio button, is what you use to specify that the interface is bound to the adapter on your local network.
• The “Public Interface Connected To The Internet” button specifies that the adapter is connected to the Internet.

The Address Pool Tab:
It basically lists the configured range of public IP addresses assigned to you. The address range is typically obtained from your ISP. You can manage the pool using Add, Edit, Remove, and Reservations buttons
The Services And Ports Tab:
Suppose you need to run a web server on your local network, which should serve requests from around the globe. In this case, you can set it up in a machine with a private IP and configure NAT to forward the requests that it receives on port 80 in the public interface, to port 80 on your internal Web server.
You can specify the ports to which inbound traffic should be mapped to, using the Services And Ports tab.
The Services And Ports tab lists the port mappings you have in effect. You can manage the the port mappings using buttons at the bottom of the pane.

Configuring NAT Properties

You can also specify the properties that affect all NAT interfaces and connections on your NAT server. This can be accessed by right-clicking the NAT/Basic Firewall node in the RRAS console and using the Properties command.
The Properties dialog box has four tabs:

1. General tab,
2. Translation tab
3. Address Assignment tab and
4. Name Resolution tab.

Among these, we need to be concerned only about the General tab and the Translation tab. Name Resolution Tab and the Address Assignment Tab allows us to decide whether we need to use the NAT addressing component and the NAT name resolution component of the NAT. It is not used commonly since almost all the networks have a DHCP server and a DNS server.
General Tab
The General tab allows you to change the amount of event logging information that the NAT software writes to the system event log.
Translation Tab:
The Translation tab help us to have a control over how long the the entries, remain in the NAT table after the use..

Conclusion

The translation tables in NAT are of short-lived nature, and it has been reported that devices on the internal network lose IP connectivity within short periods of time, unless there is a keep-alive mechanism by frequently accessing external hosts.
On the positive side, the greatest benefit of NAT is that it has been a practical solution to the exhaustion of IPv4 address space. Networks that previously required a block of network addresses can be connected to the Internet with a single dynamic or static IP address.