Contents

Overview 1
Introducing NAT 2
Designing a Functional NAT Solution 6
Securing a NAT Solution 13
Enhancing a NAT Design for
Availability and Performance 19
Discussion: Enhancing a NAT Solution 20
Lab A: Designing a NAT Solution 22
Review 30


Module 6: NAT as a
Solution for Internet
Connectivity


Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media,
Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries/regions.

Project Lead: Don Thompson (Volt Technical)
Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc.
Instructional Design Consultants: Paul Howard, Susan Greenberg
Program Managers: Jack Creasey, Doug Steen (Independent Contractor)
Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies
Graphic Artist: Kirsten Larson (S&T OnSite)
Editing Manager: Lynette Skinner
Editor: Kristen Heller (Wasser)
Copy Editor: Kaarin Dolliver (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: Eric Brandt (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Test Leads: Sid Benevente, Keith Cotton
Test Developer: Greg Stemp (S&T OnSite)
Production Support: Lori Walker (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T OnSite)
Manufacturing Support: Laura King (S&T OnSite)

Lead Product Manager, Development Services: Bo Galford
Lead Product Manager: Ken Rosen
Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective
owners.



Module 6: NAT as a Solution for Internet Connectivity 1


Overview
 Introducing NAT
 Designing a Functional NAT Solution
 Securing a NAT Solution
 Enhancing a NAT Design for Availability and
Performance


When an organization decides to connect to the Internet, a primary
consideration is how to provide Internet access for users on the private network
while protecting private network resources. In Microsoft
® Windows® 2000, the
Network Address Translation (NAT) protocol that is provided by Routing and
Remote Access provides a solution for Internet connectivity, and protects the
resources of private networks.
NAT is an appropriate solution for Internet connectivity requirements for
organizations that have limited security requirements and a relatively small
number of users within each location.

At the end of this module, you will be able to:
 Evaluate NAT as a solution for Internet connectivity.
 Evaluate and create a functional design for baseline Internet connectivity.
 Select appropriate strategies to secure a NAT Internet connectivity solution.
 Select appropriate strategies to enhance Internet connection availability and
improve Internet connectivity performance.


Throughout the remainder of the module, NAT is used to describe the
NAT protocol in Windows 2000.

Note
2 Module 6: NAT as a Solution for Internet Connectivity





 Introducing NAT
 Design Decisions for a NAT Solution
 Features of NAT


NAT connects private networks to the Internet while also protecting the private
network resources. To design a strategy for providing Internet connectivity by
using NAT, you must:
 Establish the design requirements for a NAT solution.
 Identify how the features provided by NAT support the Internet connectivity
design requirements.


Module 6: NAT as a Solution for Internet Connectivity 3



Design Decisions for a NAT Solution
 Same Security Requirements for All Users
 Nonrouted Private Network
 Required Private Addressing
Internet
NAT


You must base your decision to use NAT as an Internet connectivity solution on
the size of the private network and the security requirements of the
organization. NAT is an appropriate solution for Internet connectivity when:
 Internet access and access to the private network is not restricted on a user-
by-user basis.
 The private network consists of any number of users in a nonrouted
environment.
 The organization requires private addressing for the computers on the
private network.

4 Module 6: NAT as a Solution for Internet Connectivity



Features of NAT
 Translate Public and Private Addresses
 Supply IP Configuration to Clients
 Forward Name Resolution Requests

 Protect Private Network Resources
 Integrate into Existing Networks


To ensure an effective Internet connectivity solution, you need to understand
how the features of NAT support the organization’s connectivity requirements.
NAT is one of the protocols supported by Routing and Remote Access in
Windows 2000; therefore, to use NAT, you must include Routing and Remote
Access in your solution.
Translate Public and Private Addresses
The network address translation feature of NAT secures the private network by
hiding the private network addresses from Internet-based users. Network
address translation allows one or more public addresses to be translated to the
private Internet Protocol (IP) addressing scheme within the private network.
Network address translation is inherent in NAT and necessitates the use of
private addressing.

For situations where a public address exists for each computer on the
private network, you can use IP routing as provided in Routing and Remote
Access.

Supply IP Configuration to Clients
The automatic IP address assignment feature of NAT supplies the IP
configuration to client computers on the private network. This feature of NAT
eliminates the requirement for a separate DHCP server. You can use automatic
IP address assignment to configure any DHCP-compatible client.
Forward Name Resolution Requests
The name resolution feature of NAT uses DNS proxies to forward requests for
name resolution. The NAT server sends client requests to the appropriate DNS
servers on the private network, or across the Internet.

Note
Module 6: NAT as a Solution for Internet Connectivity 5



Protect Private Network Resources
NAT protects private network resources from Internet-based users by enabling
communications with a specific port on a specific private network IP address.
To provide this protection, NAT uses address pools and special ports. The
NAT server forwards requests from Internet-based users to the computers on
the private network that manage the resource.
Integrate into Existing Networks
When you integrate NAT into existing networks, consider that NAT:
 Supports automatic IP configuration of client computers that use DHCP for
configuration.
 Provides IP configuration. You must ensure that DHCP servers do not
provide IP configuration for the private network.
 Supports only the IP protocol, not any other routable protocols such as
Internetwork Package Exchange/Sequenced Packet Exchange (IPX/SPX).
 Cannot perform address translation on certain protocols.
The following is a list of protocols that are not supported by NAT:
• Simple Network Management Protocol (SNMP)
• Lightweight Directory Access Protocol (LDAP)
• Component Object Model (COM) or Distributed Component Object
Model (DCOM)
Many applications may use DCOM to communicate between clients and
servers in a multi-tier solution.
• Kerberos Version 5
The Active Directory
™

directory service uses Kerberos V5 protocol, so
domain controllers cannot replicate through NAT.
• Microsoft Remote Procedure Call (RPC)
Many of the Microsoft Management Console (MMC) snap-ins use RPC
to communicate between the client and the server.
• Internet Protocol Security (IPSec) packets that use IP header encryption


For any applications that require the protocols not supported by NAT,
use Microsoft Proxy Server 2.0 as the Internet connectivity solution.

Note
6 Module 6: NAT as a Solution for Internet Connectivity





 Designing a Functional NAT Solution
 Integrating NAT into the Existing Network
 Selecting NAT Server Options
 Discussion: Designing NAT Solutions


Your design decisions establish the essential aspects of your NAT solution and
provide the foundation for your Internet connectivity design. You make these
decisions by:
 Determining the placement of the NAT server and the IP address, type of
persistence, and data rate of the NAT server interface.
 Selecting the appropriate automatic IP address assignment and DNS name

resolution feature options.

Module 6: NAT as a Solution for Internet Connectivity 7



Integrating NAT into the Existing Network
 NAT Server Placement on the Private Network
 Interface Address and Subnet Mask Selection
 Interface Data Rate and Persistence Selection
P
r
i
v
a
t
e

N
e
t
w
o
r
k
Internet
NAT
LAN Interface
Demand-Dial Interface



The NAT server in your network design must have at least two interfaces: one
interface that connects to the Internet and one interface that connects to the
private network. For each NAT server interface, you must describe the interface
characteristics so that you can integrate the NAT server into the existing
network.
NAT Server Placement on the Private Network
You need to place the NAT server between the network segments to localize
network traffic and maintain security. The NAT server provided by
Windows 2000 is appropriate for connecting the private network to public
networks.
You must place the NAT server within the private network to:
 Isolate the network traffic to the source, destination, and intermediary
network segments.
 Create a screened subnet within the private network, thereby protecting
confidential data.
 Exchange network packets between dissimilar network segments, such as
between an Ethernet network segment and Integrated Services Digital
Network (ISDN).

8 Module 6: NAT as a Solution for Internet Connectivity



Select the Interface Address and Subnet Mask
When selecting the NAT server interface address and subnet mask, remember
that:
 Each NAT server interface requires an IP address and subnet mask.
 The IP address assigned to the NAT interface must be within the range of
addresses that is assigned to the network segment that is directly connected

to the interface.
 The subnet mask assigned to the NAT server interface must match the
subnet mask that is assigned to the network segment that is directly
connected to the interface.

Select the Interface Data Rate and Persistence
Each NAT server interface connects to a private or public network segment.
These network segments can be persistent or non-persistent. In addition, the
data rates for these network segments can vary considerably. You need to
specify the data rate and persistence for each NAT server interface so that the
NAT server can connect to private and public network segments.
Interfaces that connect to private network segments
Private network segments are based on local area network (LAN) technologies
that are persistent interface connections. The data rate of the private network
segment is determined by the LAN technology, such as 100 megabits per
second (Mbps) data transfer rate for 100 Mbps Ethernet.
Interfaces that connect to public network segments
Public network segments are based on LAN and demand-dial technologies that
can be persistent or non-persistent. Public network segments that appear to the
NAT server as LAN interfaces are persistent, and the data rate is determined by
the LAN technology.
Public network segments that appear as demand-dial interfaces are non-
persistent, and the data rate is determined by the underlying technology. An
example of this would be a 56 Kbps dial-up modem connection that supports a
maximum data rate of 56 Kbps.
When the public network segments are based on LAN technologies, you can
include demand-dial interfaces, such as a VPN connection over a digital
subscriber line (DSL) connection. Include a demand-dial interface in your
solution when:
 An exchange of credentials, such as VPN tunnel authentication, is required

to perform authentication.
 Charges, such as ISDN connection charges, are accumulated.

Module 6: NAT as a Solution for Internet Connectivity 9



Selecting NAT Server Options
 Automatic IP Address Assignment
 DNS Name Resolution
Internet
Name
Resolution
DNS Server
Automatic
Addressing
NAT
Private
Network


In addition to providing network address translation, NAT provides automatic
addressing and name resolution for private network clients. These NAT server
options eliminate the need for additional Windows 2000–based servers to
provide the same function.
Automatic IP Address Assignment
The automatic IP address assignment feature in NAT supplies IP configuration
to any DHCP-compatible client on the private network. Include this feature in
your solution when the:
 Client computers on the private network use DHCP for IP configuration.

 Private network consists of a single, nonrouted subnet.

You must configure the NAT client computers on the private network such that
they automatically obtain their Transmission Control Protocol/Internet Protocol
(TCP/IP) configuration. When the computers on the private network are started,
the NAT server configures the TCP/IP options of the computers.
10 Module 6: NAT as a Solution for Internet Connectivity



The following table lists the TCP/IP options and associated TCP/IP settings that
are configured on the DHCP client computers.
This option Is set to

IP address An IP address from the range of 192.168.0/24.
Subnet mask 255.255.255.0.
DNS server The IP address of the NAT private network interface, which
is typically 192.168.0.1.

You can also use Automatic Private IP Addressing (APIPA) in Windows 2000
and Microsoft Windows 98 to automatically configure computers on the private
network. When you use APIPA, you must manually select the IP address of the
private network interface for the NAT server from the range of APIPA
addresses.

If you enable the automatic IP addressing feature, ensure that DHCP
servers do not provide IP configuration for the private network because the
DHCP servers and the NAT server would both attempt to configure the
computers.


DNS Name Resolution
The name resolution feature of NAT forwards DNS name resolution requests
from clients on the private network to DNS servers across the Internet. Include
this feature in your solution when:
 Other private network servers do not provide DNS name resolution.
 The private network consists of a single, nonrouted subnet.

Note
Module 6: NAT as a Solution for Internet Connectivity 11



Discussion: Designing NAT Solutions
Edinburgh
Glasgow
Dublin
London
Belfast
Birmingham
Bristol


As you create NAT designs, you need to translate information relating to the
solution into design requirements. This discussion involves the design of basic
NAT solutions. During the discussion, note any ideas presented by other
students in the class that are relevant to the NAT solution.
The following scenario describes the current network configuration of a firm
that represents electronic component manufacturers. Read the scenario and
answer the questions. Be prepared to discuss your answers with the class.
Scenario

A firm represents a number of electronic component manufacturers. The central
sales office is located in London with regional representatives located
throughout the United Kingdom. The regional representatives conduct business
from their homes.
Each regional representative currently has one computer running Microsoft
Windows 95 that uses a direct dial-up connection to a remote access server in
the London central sales office to place orders. In addition, the representatives
also connect to the Internet, through local Internet service providers (ISPs), so
they can view product information from the electronic manufacturers they
represent.
12 Module 6: NAT as a Solution for Internet Connectivity



Questions
1. The London central sales office is upgrading the order entry and tracking
order system to a Web-based solution that uses distributed Microsoft SQL
Server
™
version 7.0 databases. The new order system requires the regional
representatives to add an additional computer running Windows 2000
Advanced Server and SQL Server 7.0. The order entry system updates order
information over the Internet in real time, so a permanent Internet
connection is required. What solutions that use the NAT services in
Windows 2000 could you recommend to the company?


2. The director of sales for the firm is evaluating contact management software
for use by the regional representatives. The software would allow the
regional representatives to manage customer contact information, and allow

sales managers in the London central sales office to review activity on key
customer accounts. The repository for the contact information is a SQL
Server database in the London office. What impact would the selection of
the contact management software have on your design?


Module 6: NAT as a Solution for Internet Connectivity 13





 Securing a NAT Solution
 Restricting Internet Traffic by Using IP Filters
 Allowing Access with Address Pools and Special Ports
 Enhancing NAT Security with VPN


The default security provided by NAT is adequate to protect private network
resources that are not available to Internet users. For Internet connectivity
solutions that require restricted access to Internet sites or to private network
resources, you need to incorporate the security features provided by NAT. To
enhance the security of a NAT solution, consider:
 Specifying Routing and Remote Access filters.
 Allowing access to private network resources by using address pools and
special ports.
 Enhancing NAT security with VPN connections.

14 Module 6: NAT as a Solution for Internet Connectivity




Restricting Internet Traffic by Using IP Filters
 Restrict by Using Routing and Remote Access IP Filters
 Apply Filters to Internet or Private Network Interface
 Filter all Traffic Based on IP Address and Protocol
Private
Network
Outgoing
NAT
Central
Office
Internet
Incoming
NAT
NAT
Partner
Network
Web
Server


To restrict access to the Internet or to the private network, you can specify
unique Routing and Remote Access IP filters for each NAT interface. These
filters are based on an incoming or outgoing IP address range and protocol. You
can add multiple filters for each NAT interface to create a combination of filters
that address any security requirements. Routing and Remote Access IP filters
provide similar security to firewall filters.
You can specify Routing and Remote Access IP filters that restrict:
 Internet-based user access to private network resources.

 Private network user access to Internet-based resources, such as partner
networks or central offices.

Restrict by Using Routing and Remote Access IP Filters
Routing and Remote Access filters restrict traffic at International Organization
for Standardization (ISO) layer two and affect all IP traffic received by a NAT
interface. These filters specify which IP packets are forwarded or rejected by
the NAT interface.
Apply Filters to the Internet or Private Network Interface
You can apply Routing and Remote Access filters to the Internet or private
NAT interface. The following table lists the interface types and describes the
reasons for assigning a filter to each interface.
Create a filter on the To restrict

Internet interface Private network user access to Internet-based resources.
Private network interface Internet-based user access to private network resources.

Module 6: NAT as a Solution for Internet Connectivity 15



Filter All Traffic Based on IP Address and Protocol
You create Routing and Remote Access filters by specifying the source or
destination IP address range and the protocol type of the packets to be filtered.
You can base your filter design upon any combination of the following:
 Source IP address range.
 Destination IP address range.
 IP protocol number.

You can design the filters to either accept or reject packets that match any of the

filters assigned to the NAT interface.
16 Module 6: NAT as a Solution for Internet Connectivity



Allowing Access with Address Pools and Special Ports
 Use the Default—All Computers Are Inaccessible
 Reserve Addresses from the Address Pool
 Define Special Port Mappings
Internet
Remote
User
Special Port
Mapping
NAT
Web
Server
Private
Network


You can allow access to specific computers and applications within the private
network by reserving IP addresses from the NAT Interface address pool, or by
creating special port mappings.
Use the Default—All Computers Are Inaccessible
By default, NAT discards any Internet-based requests to access computers
located within the private network. As such, all computers on the private
network are inaccessible from the Internet in a NAT solution. Choose the
default configuration when users on the:
 Private network require access to Internet sites.

 Internet must not have access to any of the private network resource
computers.

In situations where the default security provided by NAT is not appropriate,
select the method for exposing private network resources to the Internet. You
can select the method based on the number of public addresses available to the
organization.
Module 6: NAT as a Solution for Internet Connectivity 17



The following table describes the strategies for enabling access to private
network resources.
When the design includes Enable access to private network resources by

Multiple public IP addresses Reserving addresses from the address pool.
Single public IP address Defining special port mappings.

Reserve Addresses from the Address Pool
When the NAT solution includes multiple public IP addresses, you can place
the addresses in an address pool to enable private network resource access.
Address pools enable NAT to examine Internet-based requests and forward the
requests to resources on a server within the private network.
You must obtain and reserve a public IP address in the NAT address pool for
each resource server on the private network.

Using address pools allows all IP ports on the resource server to be
accessed. If the security specification of the design requires restricted IP port
access, you can use Routing and Remote Access filters to restrict port access.


Define Special Port Mappings
When the NAT solution includes only one public IP address, you must define
special port mappings within Routing and Remote Access to enable private
network resource access. Special port mappings enable NAT to examine the IP
address and port number of Internet-based requests. NAT then forwards the
requests to a specific IP address and port number of a resource server within the
private network. For each resource that you share with the Internet, you must
define separate special port mappings in Routing and Remote Access.
Note
18 Module 6: NAT as a Solution for Internet Connectivity



Enhancing NAT Security with VPN
 Supports PPTP Tunnels
 Provides User Level Authentication
 Supports Inbound and Outbound Connections
Internet
Partner
Network
VPN
Server
NAT
Remote
User
VPN
Server
Private
Network
VPN

Servers
Central
Office
NAT


NAT does not provide security on a user-by-user basis. However, you can
restrict access to resources by using VPN connections. VPNs authenticate users
and encrypt data transferred across public networks. For example, you can use
VPN connections in a NAT solution to secure connections between:
 Remote users that need to access private network resources.
 Users on the private network and resources within partner organizations.
 Users on the private network and resources at other locations within the
organization.

The following table lists solutions provided by VPN connections and describes
how the solutions enhance the security of a NAT design.
VPN connections To

Support Point-to-Point
Tunneling Protocol
(PPTP) tunnels
Provide authentication and encryption for sensitive data.
Provide user level
authentication
Secure access to remote resources over the Internet on a user-
by-user basis.
Support inbound and
outbound connections
Allow access to private network resources from users outside

the local private network.
Allow access to resources outside the local private network.


VPN tunnels that use Layer Two Tunneling Protocol (L2TP) are not
supported because IPSec can encrypt the IP header and NAT cannot perform
address translation.

Note
Module 6: NAT as a Solution for Internet Connectivity 19



Enhancing a NAT Design for Availability and Performance
 Dedicate a Computer to NAT
 Select Persistent Internet Connections
 Provide Multiple Internet Connections
P
r
i
v
a
t
e

N
e
t
w
o

r
k
Internet
NAT
LAN Interface
Demand-Dial Interface


You can enhance the availability and performance of NAT by dedicating a
computer to NAT, selecting persistent Internet connections, or providing
multiple Internet connections. Any of these strategies enhance availability and
improve performance.
The following table describes how these strategies enhance availability and
performance.
Use this strategy To enhance availability by To optimize performance by

Dedicating a
computer to NAT
Preventing other applications
that run on the same computer
from becoming unstable, and
ultimately requiring a restart
of the computer.
Preventing other applications
that run on the same computer
from consuming system
resources and impacting NAT
performance.
Selecting
persistent Internet

connections
Preventing a lack of
availability for dial-up
connections, such as by busy
signals.
Eliminating the time required
to establish a nonpersistent
connection.
Providing multiple
Internet
connections
Providing redundant
connections to the Internet in
the event one of the
connections fails.
Distributing the traffic across
the multiple connections to the
Internet.

20 Module 6: NAT as a Solution for Internet Connectivity



Discussion: Enhancing a NAT Solution
Edinburgh
Glasgow
Dublin
London
Belfast
Birmingham

Bristol


After you have provided a basic NAT solution, you need to examine the
security, availability, and performance requirements for the solution. During the
discussion, note any ideas presented by other students in the class that are
relevant to the solution.
The following scenario describes the requirements for enhancing the NAT
solution of the firm that represents the electronic component manufacturers.
Read the scenario and answer the questions. Be prepared to discuss your
answers with the class.
Scenario
During the deployment of the NAT solution for the firm that represents
electronic component manufacturers, the firm decides to enhance the order
entry and order tracking system. The enhancements allow customers to place
orders and then track their orders by using a Web-based application over the
Internet.
Each regional sales representative will run a copy of the Web-based application
on the computer running Windows 2000. As customers place orders, the SQL
Server 7.0 database located in the regional representative’s home office and the
SQL Server 7.0 database in the London central sales office are updated.
Module 6: NAT as a Solution for Internet Connectivity 21



Questions
1. The enhancements to the Web-based order entry and order tracking system
require access to the application for customers from the Internet. What
recommendations would you make for securing the NAT solution?



2. After analyzing the traffic with a protocol analyzer, such as Network
Monitor, you have discovered that the updates to the SQL Server 7.0
database in the London central sales office are not encrypted. How could
you ensure that the database updates are encrypted?


3. Allowing customers to access the Web-based order entry and order tracking
system has significantly degraded the performance of the NAT server. What
strategies could you use to improve the performance of the NAT solution?



22 Module 6: NAT as a Solution for Internet Connectivity



Lab A: Designing a NAT Solution


Objectives
After completing this lab, you will be able to:
 Evaluate a scenario to determine the requirements that affect a NAT
solution
 Design a NAT solution to fulfill the requirements of the scenario.

Prerequisites
Before working on this lab, you must have:
 Knowledge of the design decisions required in creating a NAT solution.
 Knowledge of the design decisions that enhance the security, availability,

and performance of a NAT solution.

Estimated time to complete this lab: 45 minutes
Module 6: NAT as a Solution for Internet Connectivity 23



Exercise 1
Designing a NAT Solution
In this exercise, you are presented with the task of creating a NAT solution for a
public utility. This public utility plans to relocate the offices of its customer
service agents. You will work with a partner to design a NAT solution that
supports the public utility’s requirements.
To design your solution, review the scenario, diagrams, and design limitations
and requirements
. Follow the Design Worksheet instructions to complete the
Design Worksheet. When you have completed your design, be prepared to
discuss your results with the rest of the class.
Scenario
A public utility is relocating its customer service staff from offices within the
public utility main office to home offices. The customer service agents answer
billing and customer questions regarding the utility service.
The utility will provide Windows 2000–based computers to the customer
service agents for use in their home offices. As the network architect for the
public utility, you will create the design that allows the customer service agents
to work from their home offices.
The current network configuration provides:
 Support for a mission-critical, Web-based application that allows the
customer service agents to manage customers and their billing information.
 Support for a mission-critical, Web-based application that allows customers

to make account payments and submit service requests over the Internet.
 Support for all mission-critical applications to be available 24-hours-a-day,
7-days-a-week.
 Internet connections installed in the home office, but not connected to the
home office network.