SolutionBase: Using NAT to connect Windows 2003 to the Internet

Windows 2003 offers a feature called NAT, which you can use to achieve much of the same functionality that you can with ISA Server when connecting your network to the Internet. Here's an introduction to NAT and how your network can benefit from it.

Do you use Microsoft's Proxy Server or ISA Server to connect your network to the Internet? If so, you may be surprised to find out that Windows 2003 offers a service called Network Address Translation (NAT) that you can use to achieve much of the same functionality as you can from these products. Here's an introduction to NAT and how your network can benefit from it.

What is NAT and how does it work?

NAT's purpose is to hide the IP addresses that are in use on your internal network. Not only is this functionality good from a security standpoint, but it also allows you to make up your own IP addresses for your local network without the fear of duplicating actual Internet addresses.

Okay, so NAT sounds wonderful, but you may be wondering how it works. To understand what really goes on, let's look at an example of a network configuration. Imagine that a network card connected to the Internet uses an IP address of, while the network card that's connected to the local network has an IP address of Let's also assume that NAT is running on the server that's connected to the Internet.

Now, suppose that a PC with the IP address needs to access a Web site. As usual, the outbound packet's first stop would be the server that's connected to the Internet; however, NAT prevents the packet from being sent out. Instead, NAT maintains a database of outbound communications. The database is updated to reflect the internal IP address of the PC sending the packet and other information, such as the destination address. NAT then adds a random port number to the database entry. For example, NAT might assign port 83 to the PC.

At this point, NAT sends the packet to the destination. But instead of using the address, the packet now has the address (the address of the server). Since port 80 is typically used for HTTP-based communications, the packet is sent out on port 80. The packet, however, contains instructions that the remote Web server should reply through the random port number that NAT has assigned to the PC. In the case of my example, this would be port 83.

When NAT receives an inbound communication, it looks at the type of information that's been received and what port number the communication arrived through. In this case, if NAT received HTTP-based communications at port 83, it would look in its database and realize that port 83 was associated with PC number It would then forward the packet to this PC.

The big exception to this method is in situations where the PC that's connected to the Internet contains multiple registered IP addresses. In such a case, no port translations are necessary.

The dark side of NAT

As great as NAT sounds, there's an issue you need to be aware of. NAT isn't designed as a total replacement for ISA Server. As you may know, ISA Server contains some functionality that simply doesn't exist in a NAT environment.

One of these features is a proxy cache. ISA Server maintains an active cache of all recently accessed Web pages. This allows ISA Server to save bandwidth and increase client response speed by accessing pages from the cache instead of off the Internet when possible.

The biggest thing that's missing from NAT, though, is a full-featured packet filter and firewall. ISA Server lets you block any ports that aren't essential to your organization. This capability is important because hackers can use these obscure ports to gain access to your network. Likewise, ISA Server also protects you against hackers by allowing you to block any protocols that aren't frequently used. NAT lacks this capability. Basically, this means that NAT provides a useful service, but don't expect it to take the place of a full-featured firewall.

If you do use an external firewall, remember that while you're safe when blocking unused protocols, blocking unused ports may cause NAT to malfunction since it depends on these ports for inbound HTTP communications.

Installing NAT

The process of installing NAT is relatively simple. Open the Routing And Remote Access console by clicking the Start button and selecting Administrative Tools | Routing And Remote Access. When the console opens, navigate through the tree on the left side of the screen to Routing And Remote Access | your server | IP Routing | General.

Now, right-click the General object and select the New Routing Protocol command from the resulting context menu. When you do, the New Routing Protocol dialog box will open. This dialog box contains a list of various routing protocols. Select Network Address Translation (NAT) from the list and click OK. Network Address Translation now shows up as an object in the tree beneath IP Routing.

Configuring NAT

You can configure a number of parameters for NAT. Right-click Network Address Translation in the list and select the Properties command from the resulting context menu. You'll then see the Network Address Translation (NAT) Properties sheet.

The default tab on this properties sheet is the General tab. This tab allows you to select the level of logging that takes place due to NAT's actions. The default option is to log errors only, but you can elect to log errors and warnings, log the maximum amount of information, or disable event logging for NAT altogether.

The next tab, Translation, lets you set the timeout period for TCP and UDP mappings. By default, the timeout is 1440 minutes for TCP mappings and one minute for UDP mappings. Generally, these settings will work fine for most networks. If, however, you have an application that requires longer mapping times, or if your network is extremely slow, you may need to bump these values up, especially when it comes to the UDP mappings.

The next tab you'll encounter, Address Assignment, is optional. It allows you to implement DHCP through NAT, even if you aren't running a separate DHCP service. If you enable this service, then NAT -- not the normal DHCP server -- assigns IP addresses to clients on the local network. The configuration options on this tab are pretty self-explanatory.

The final tab is Name Resolution. This tab provides an easy way to enable DNS services for name resolutions. All you have to do to enable this feature is select a check box. If you don't have your own DNS server, you can even use this tab to make NAT connect to the Internet when it needs to resolve an address.

Configuring the NAT interfaces

So far, I've shown you how to install and configure NAT; however, you still have to configure the NAT interface -- the mechanism by which NAT knows which networks to bridge. There are a lot of ways to set up NAT interfaces. Since this article is all about linking a private network to the Internet, I'll walk you through the configuration process as though this is what you were trying to accomplish.

Begin by opening the Routing And Remote Access console and navigating through the console tree to Routing And Remote Access | your server | IP Routing | Network Address Translation. Next, right-click Network Address Translation and select the New Interface command from the resulting context menu. At this point, you'll see a dialog box that lists all of the existing connections on the server. Select the connection you want to work with and click OK.

Now you'll see a dialog box that asks if the connection is a private interface that's connected to a private network, or if it's a public interface connected to the Internet. If you're configuring a private interface, simply make the appropriate selection and click OK. If you're working with a public interface, though, there's a bit more configuration to do.

If you're configuring a public interface, the next step is to select the Address Pool tab. This tab lets you input the IP addresses that your ISP has assigned to you. NAT will translate the addresses used by your private network into the legitimate addresses that you insert into this area.

Finally, switch to the Special Ports tab. This tab gives you the chance to tell NAT about any special port-related needs that your network might have so that NAT doesn't try to remap the port.

Who needs ISA Server?

You can use Windows Server 2003's built-in NAT to achieve some of Proxy Server's and ISA Server's functionality. If you decide to implement NAT, remember that NAT doesn't offer the IP packet-filtering capabilities offered by ISA Server. It's important to use a firewall or Windows 2003's packet-filtering capabilities in conjunction with NAT.