Do you use Microsoft’s Proxy Server to connect your network to the Internet? If so, you may have been disappointed to find out that Proxy Server doesn’t work under Windows 2000. If you’ve upgraded the rest of your network to Windows 2000, but your Proxy Server is still running Windows NT 4.0, you’ll be happy to know that there’s a workaround. Windows 2000 offers a service called NAT that you can use to achieve much of the same functionality as Proxy Server. In this Daily Feature, I’ll introduce you to NAT and explain how your network can benefit from it.
What is NAT and how does it work?
NAT stands for Network Address Translation. NAT's purpose is to hide the IP addresses that are in use on your internal network. Not only is this functionality good from a security standpoint, it also allows you to make up your own IP addresses for your local network without fear of duplicating actual Internet addresses.
Okay, so NAT sounds wonderful, but you may be wondering how NAT works. To understand what really goes on, let’s look at an example of a network configuration. Imagine that a network card connected to the Internet uses an IP address of 188.8.131.52, while the network card that’s connected to the local network has an IP address of 184.108.40.206. Let’s also assume that NAT is running on the server that’s connected to the Internet.
Now, suppose that a PC with the IP address 220.127.116.11 needs to access a Web site. As usual, the outbound packet’s first stop would be the server that’s connected to the Internet; however, NAT prevents the packet from being sent out. Instead, NAT maintains a database of outbound communications. The database is updated to reflect the internal IP address of the PC sending the packet and other information, such as the destination address. NAT then adds a random port number to the database entry. For example, NAT might assign port 83 to the PC.
At this point, NAT sends the packet to the destination. But instead of using the 18.104.22.168 address, the packet now has the address 22.214.171.124 (the address of the server). Since port 80 is typically used for HTTP-based communications, the packet is sent out on port 80. The packet, however, contains instructions that the remote Web server should reply through the random port number that NAT has assigned to the PC. In the case of my example, this would be port 83.
When NAT receives an inbound communication, it looks at the type of information that’s been received and what port number the communication arrived through. In this case, if NAT received HTTP-based communications at port 83, it would look in its database and realize that port 83 was associated with PC number 126.96.36.199. It would then forward the packet to this PC.
The big exception to this method is in situations where the PC that’s connected to the Internet contains multiple registered IP addresses. In such a case, no port translations are necessary.
The dark side of NAT
As great as NAT sounds, there’s an issue that you need to be aware of. NAT isn’t designed as a total replacement for Proxy Server. As you may know, Proxy Server contains some functionality that simply doesn’t exist in a NAT environment.
One of these features is a proxy cache. Proxy Server maintains an active cache of all recently accessed Web pages. This allows Proxy Server to save bandwidth and increase client response speed by accessing pages from the cache instead of off the Internet when possible.
The biggest thing that’s missing from NAT, though, is a full-featured packet filter and firewall. Proxy Server allows you to block any ports that aren’t essential to your organization. This capability is important because hackers can use these obscure ports to gain access to your network. Likewise, Proxy Server also protects you against hackers by allowing you to block any protocols that aren’t frequently used. NAT lacks this capability. Basically, this means that NAT provides a useful service, but don’t expect it to take the place of a full-featured firewall.
If you do use an external firewall, remember that while you’re safe blocking unused protocols, blocking unused ports may cause NAT to malfunction since it depends on these ports for inbound HTTP communications.
The process of installing NAT is relatively simple. To do so, open the Routing And Remote Access console by clicking the Start button and selecting Programs | Administrative Tools | Routing And Remote Access. When the console opens, navigate through the tree on the left side of the screen to Routing And Remote Access | your server | IP Routing | General.
Now, right-click the General object and select the New Routing Protocol command from the resulting context menu. When you do, the New Routing Protocol dialog box will open. This dialog box contains a list of various routing protocols. Select Network Address Translation (NAT) from the list and click OK. Network Address Translation now shows up as an object in the tree beneath IP Routing.
There are a number of parameters that you can configure for NAT. To do so, right-click Network Address Translation in the list and select the Properties command from the resulting context menu. When you do, you’ll see the Network Address Translation (NAT) Properties sheet.
The default tab on the Network Address Translation (NAT) Properties sheet is the General tab. The General tab allows you to select the level of logging that takes place due to NAT’s actions. The default option is to log errors only, but you can elect to log errors and warnings, log the maximum amount of information, or disable event logging for NAT altogether.
The next tab is the Translation tab, which allows you to set the timeout period for TCP and UDP mappings. By default, the timeout is 1440 minutes for TCP mappings and one minute for UDP mappings. Generally, these settings will work fine for most networks. If, however, you have an application that requires longer mapping times or if your network is extremely slow, you may need to bump these values up, especially when it comes to the UDP mappings.
The Translation tab also includes an Applications button. You can use this button to make applications that exist on the public network (usually the Internet) available on the local network. You can do this by providing information for the remote application, such as port numbers and IP addresses.
The next tab that you’ll encounter is the Address Assignment tab. This tab is optional. It allows you to implement DHCP through NAT, even if you aren’t running a separate DHCP service. The way that it works is that if you enable this service, then NAT, not the normal DHCP server, assigns IP addresses to clients on the local network. The configuration options on this tab are pretty self-explanatory.
The final tab on the Network Address Translation (NAT) Properties sheet is the Name Resolution tab. This tab provides an easy way to enable DNS services for name resolutions. All that you have to do to enable this feature is to select a check box. If you don’t have your own DNS server, you can even use this tab to make NAT connect to the Internet when it needs to resolve an address.
Configuring the NAT interfaces
So far, I’ve shown you how to install and configure NAT; however, you still have to configure the NAT interface—the mechanism by which NAT knows which networks to bridge. There are a lot of ways to set up NAT interfaces. Since this article is all about linking a private network to the Internet, I’ll walk you through the configuration process as though this is what you were trying to accomplish.
Begin by opening the Routing And Remote Access console and navigating through the console tree to Routing And Remote Access | your server | IP Routing | Network Address Translation. Next, right-click Network Address Translation and select the New Interface command from the resulting context menu. At this point, you’ll see a dialog box that lists all of the existing connections on the server. Select the connection that you want to work with and click OK.
Now you’ll see a dialog box that asks if the connection is a private interface that’s connected to a private network or a public interface that’s connected to the Internet. If you’re configuring a private interface, simply make the appropriate selection and click OK. If you’re working with a public interface, though, there’s a bit more configuration to do.
If you’re configuring a public interface, the next step is to select the Address Pool tab. This tab allows you to input the IP addresses that your ISP has assigned to you. NAT will translate the addresses used by your private network to the legitimate addresses that you insert into this area.
Finally, switch to the Special Ports tab. This tab gives you the chance to tell NAT about any special port-related needs that your network might have so that NAT doesn’t try to remap the port.
In this Daily Feature, I’ve discussed how NAT can be used to achieve some of Proxy Server’s functionality. If you decide to implement NAT, remember that NAT doesn’t offer the IP packet-filtering capabilities offered by Proxy Server. It’s important to use a firewall or Windows 2000’s packet-filtering capabilities in conjunction with NAT.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.