There are two basic ways to connect a network to the Internet: a routed connection , which uses a router and requires public IP addresses for each connected computer; or a translated connection , which uses a single computer to access the Internet with a public address and translates the data to allow use of private IP addresses elsewhere in the network. Network Address Translation (NAT) translates private IP addresses to public addresses, allowing a single computer to provide Internet access for a private network and eliminating the need for public addresses for all machines on the network. NAT actually provides three separate services to clients on a Windows 2000 network:
- Translation
Translates between public and private IP addresses.
- IP address assignment
Includes a simple DHCP server and can assign IP addresses to clients. NAT uses the pools of private IP addresses listed earlier in this chapter.
- DNS name resolution
Acts as a DNS server. Rather than maintaining a name and address database, the NAT server forwards DNS requests to an Internet DNS server and returns the results to its clients.
NAT is configured as a routing protocol and must be used on a Windows 2000 computer running Routing and Remote Access Services. To install NAT, follow these steps:
In the Routing and Remote Access console, open the Routing and Remote Access key in the left pane. Open the entry for the server, then select IP Routing.
Highlight the General entry. Right-click and select New Routing Protocol.
Select Network Address Translation from the list and click OK.
After NAT is installed, you must configure the network a certain way to allow NAT to be used. These considerations include the following:
The IP address of the NAT server should be set to the first address in the chosen range of private IP addresses; for example, 192.168.0.1.
A dial-up (or persistent, such as DSL) connection to an Internet Service Provider (ISP) must be configured.
The NAT protocol must be installed, as described earlier, and configured to use the LAN interface and the dial-up (or other) interface to the Internet.
To enable NAT addressing, select NAT in the left pane of the Routing and Remote Access console and select Properties. Choose the Address tab, then enable the Automatically Assign IP Addresses by Using DHCP option. You can also specify the private address range to use from this dialog.
NAT normally allows only outbound access to the Internet. To allow inbound access, you can configure a special port. This is useful if you are running a public server, such as a web server, on a machine in the private network. To configure a special port, follow these steps:
Assign the server machine a static private IP address and exclude the address from NAT’s address range.
In the Routing and Remote Access console, select Network Address Translation in the left pane. Right-click the interface that provides Internet connectivity and select Properties.
Select the Special Ports tab. Choose whether to use a TCP or UDP port, then click Add.
Specify the incoming port number (for example, 80 for most web servers). If you have multiple public IP addresses, you must also select the address to use.
Specify the outgoing port number and private IP address for the server machine.
Internet Connection Sharing (ICS) is a simplified version of NAT that can be used for basic address translation. ICS differs from NAT in the following ways:
ICS uses a single checkbox rather than complex configuration information.
ICS uses a fixed range of private IP addresses.
ICS allows only one public IP address.
ICS can only be used on one internal LAN interface.
To install ICS, follow these steps:
In the Routing and Remote Access console, open the Routing and Remote Access key in the left pane. Open the entry for the server, then select IP Routing.
Highlight the General entry. Right-click and select New Routing Protocol.
Select Connection Sharing from the list and click OK.
In the Network and Dial-up Connections window, right-click the Internet interface to share and select Properties.
Select the Sharing tab and activate the Enable Internet Connection Sharing for this Connection option. You can also choose whether ICS will dial the connection automatically when it is accessed by a client.