Collaboration

Selecting the best address translation option for your network

If you have more PCs than IP addresses, you are probably looking for a simple, yet cost-effective solution. Address translation is what you want, and Debra Littlejohn Shinder is here to help you out!


Address translation is the process of “translating” multiple IP addresses from the private address range to one or more public registered addresses. There are a number of ways to do this: Some operating systems include built-in address translation capabilities; there are third-party software programs available to provide address translation services; and vendors make hardware devices that are capable of translation tasks. Network address translation is also called NAT.

In this Daily Feature, we will take a look at how address translation works, some of the address translation options available, and how you can select the best translation solution for your network.

How address translation works
The address translation gateway computer or device is connected to the public network via a modem, broadband connection, T1, or other Internet connection. It is also connected, via a second interface, to the internal LAN. This computer has an internal address from the private address range assigned to its internal interface and a public address assigned by the ISP (either a static address or one allocated by DHCP) to its external interface. Address translation software allows it to function as the gateway for computers on the LAN that are configured with its internal IP address as their default gateway address.

When an internal computer sends a message destined for the Internet (for example, when its Web browser attempts to access a URL that points to an Internet Web server), the gateway intercepts the request, maps the internal address of the sending computer to a port number in its address translation table, replaces the sending computer’s source address in the packet headers with its own, and forwards the message to the Internet. When a reply is returned to the gateway computer, it consults the address translation table to determine which internal computer should receive the response and sends it to that machine.

Advantages of address translation
Advantages of using an address translation method to connect your LAN’s computers to the Internet include:
  • Cost:You don’t have the expense of extra IP addresses from your ISP.
  • Conservation of IP addresses: You don’t use more of the available addresses than necessary.
  • Security: The computers on the Internet “see” only the gateway computer, not any of the computers on the internal LAN.

Disadvantages of address translation
There are a few disadvantages to using address translation instead of a routed connection with each computer on the LAN having its own public IP address:
  • Compatibility issues: Not all programs and protocols are compatible with address translation. Those protocols that do not have the IP addresses in the IP header, and TCP/UDP port numbers in the TCP or UDP headers, may require NAT “editors” or may not be able to work with address translation at all. For example, IPSec is not compatible with NAT.
  • Performance: Translation requires some overhead in system resources; thus, performance may be slightly slower when using NAT.

Address translation options
If you determine that a translated connection is the best option for your network, you have several choices for implementing NAT.

Internet Connection Sharing (ICS) in Windows 98SE/Me/2000/XP
ICS is a “lite” form of NAT that is built in to both Windows 2000 Pro and Server, as well as Windows XP/2002 and Windows 98SE/Me. The Windows 2000 machine can function as a connection gateway for internal computers running TCP/IP, even if they are running older operating systems, such as Windows 95.

ICS is easy to set up, but its flexibility is limited. You must use the preconfigured private address range, for example, and you cannot translate the internal addresses to multiple external interfaces. Also, you cannot use ICS on your network if there is a DNS or DHCP server on the network. ICS is most appropriate for small peer-to-peer Windows networks.

To share a connection with ICS, you need only check a box on the Sharing tab of the Properties sheet for the connection (see Figure A).

Figure A
ICS in Windows 2000/XP provides an easy way to set up a “lite” version of NAT.


The ICS gateway computer will become a DHCP allocator, assigning IP addresses from the 192.168.0.0 network to the computers on the internal LAN. These other computers must be set up as DHCP clients in their TCP/IP properties.

NAT in Windows 2000/2002 Server
For configuring a translated connection in a Windows network when ICS won’t do (for example, in a Windows 2000 domain with DNS and DHCP servers on the network), Microsoft provides a component simply called NAT, which is installed as a routing protocol in the Routing and Remote Access (RRAS) administrative tool (see Figure B).

Figure B
NAT is added and configured as a routing protocol in Windows 2000 Server RRAS.


This “full-fledged” NAT is available only on the server operating system.

NAT is more complex than ICS but allows you to specify the address range from which private IP addresses will be assigned to internal computers by the NAT gateway acting as DHCP allocator, or you can disable the allocator and let the addresses be assigned by your DHCP server.

Other reasons for choosing NAT over ICS on a Windows 2000 network include:
  • Support for inbound mappings
  • Ability to disable the DNS proxy function
  • Need to use static IP addresses on the network

IP Masquerading for Linux
IP Masquerade (IPMASQ) is a Linux networking feature that provides a translated connection through the Linux gateway machine. Support for masquerade has been built into the Linux kernel since version 1.3.x. It is a form of NAT and is configured similarly, with internal computers that access the Internet through the Linux box being configured to use the Linux machine’s internal IP address as their default gateway.

Third-party NAT solutions
What if the computers on your network are all running operating systems that don’t have built-in NAT support like Linux or Windows 98SE/2000/2002, and you want to use a translated connection? There are several third-party NAT solutions available that can be installed on Windows 95 or Windows NT computers.

A few products that are reasonably priced, easily configured, and have been found to work well are:

Proxy servers
Proxy servers use address translation to provide an Internet connection to internal computers via one public IP address, but they also provide additional functionality beyond connection sharing. Proxy servers are used for added security; they sit between the internal network and the public Internet and can perform packet filtering (and in some cases, circuit level and application level filtering) to control what leaves and enters the private network. Proxy servers may even have built-in firewall functionality.

Proxy server software often costs more than NAT products because of its added sophistication. Examples include:
  • Microsoft Proxy Server 2.0
  • Microsoft Internet Security and Acceleration Server (ISA)
  • Midpoint
  • WinProxy
  • Rideway

Hardware NAT
Many router vendors build NAT functionality into their ISDN and DSL routers, making it easy to implement an address translation solution without worrying about installing special software on a gateway machine.

Selection considerations
In determining which NAT solution is best for your network, you should take into account the following:
  • Cost: If you are running an operating system that has a connection-sharing component built in, you will save money by using it instead of buying third-party software or a hardware device that supports NAT.
  • Features: If you need additional security features as well as address translation, you may wish to consider a proxy server.
  • Ease of Configuration: Some solutions are easier to implement than others. For example, Windows 2000 ICS is easier to set up than Windows 2000 NAT, and the Sygate NAT product is easier to configure than the Rideway proxy. Balance ease of configuration against cost factors and needed features.
  • Operating System Compatibility: The solution you choose must be compatible with the operating system running on the computer you want to be the gateway.
  • Application and Protocol Compatibility: If you use applications or protocols that do not carry the IP address in the IP header or otherwise won’t work with NAT, you may need to choose a different option for connecting your LAN to the Internet.

Conclusion
Network address translation provides a way to conserve the limited number of available public IP addresses, save money, and provide a measure of security, while connecting all the computers on an internal LAN to the Internet through a gateway computer using a single public IP address. NAT has both advantages and disadvantages compared to a traditional routed connection; if you decide NAT is the best solution for your network, there are a variety of different ways in which it can be implemented.

About Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks