|
|
|
Installing, Configuring, and
Troubleshooting Windows 2000 NAT
Why Share an Internet Connection?
What’s the Difference between ICS and NAT?
Features of ICS
NAT Features
What’s the Difference between an Address Translation Service and a Proxy
Server Service?
Application Layer vs. Network Layer
Administrative Overhead
Using VPNs in a SOHO Environment
How Address Translation Works
Translation
Addressing Assignment
Host Name Resolution
NetBIOS Name Resolution
Dynamic vs. Static Mapping
Dynamic Mappings
Static Mappings
Mappings for Outbound Internet Traffic
Mappings for Inbound Internet Traffic
Private vs. Public IP Addresses
Private Address Ranges
Creating and Sharing a Dial-Up Connection
Application-Specific Mappings
Service-Specific Mappings
Configuring Connection Sharing on the Clients
Limitations of ICS
Enabling RRAS with NAT on the Server
Ensuring RRAS is Configured for Routing
Installing the NAT Protocol
Configuring Global NAT Properties
Configuring NAT Interface Properties
Adding the Interfaces to NAT
Configuring IP Address Ranges
Configuring Interface Special Ports
Monitoring NAT
Common Troubleshooting Issues
Address Assignment
Network Translation
Internet Name Resolution
Other Configuration Issues
Miscellaneous
|
|
Certification Objectives |
|
29.01
Overview of ICS and NAT |
|
29.02
Internet Connection Sharing |
|
29.03
Network Address Translation |
|
29.04
Troubleshooting ICS and NAT
|
|
|
Many of the new features in Windows 2000
are aimed at the large enterprise environment, so it comes as rather a
surprise to see new features specifically aimed at the smallest of
networks. However, Windows 2000 is very Internet oriented, and this does
relate directly with network address translation (NAT), which is the topic
of this chapter.
www.tartoos.com |
|
|
NAT is a very useful new feature in
Windows 2000 from which many people can immediately benefit, and as such
it has received a lot of media attention and is being heralded as one of
the Windows 2000 benefits. Also, since address translation was not
available in Windows NT 4.0 (only in Windows 98 Second Edition), you can
be sure it will be covered in the Microsoft exams. Unless you had Windows
98 Second Edition, the previous choices for connecting a Microsoft network
to the Internet were to use a directly routed connection, Proxy Server, or
a third-party product—so you can see how NAT fills a critical gap in
Microsoft networking services. Networking services are the core of Windows
2000, and as such, NAT claims an important role.www.tartoos.com |
|
|
This chapter describes in detail exactly
what is Network Address Translation is, how it works, how to configure it
in Windows 2000, when to use it, and its limitations. It contains
information you need to know for live implementations as well as for
answering questions on address translation in the exam “Implementing and
Administering a Microsoft Windows 2000 Network Infrastructure (70-216).”www.tartoos.com |
|
CERTIFICATION OBJECTIVE 29.01 |
|
Overview of ICS and NAT |
|
|
Windows 2000 Internet Connection Sharing
(ICS) and the Network Address Translation (NAT) protocol both offer a
relatively simple and inexpensive way for small networks to benefit from
an Internet network connection. As such, you will see the abbreviations
ICS and NAT in close proximity to another acronym: SOHO, which stands for Small Office/Home Office and is
the environment perceived as the most likely to benefit from this simple
method of connecting to the Internet. |
|
|
A user on a SOHO networks frequently
needs to use more than one computer, and also needs to be able to share
resources from one computer to another, such as files, applications, and
printers. |
|
|
However, despite these typical
characteristics that define SOHO, bear in mind this is only a theoretical
definition. In reality the clear textbook definitions can blur into less
distinct categories. For example, SOHO may include workstations with
multiple protocols, servers for DHCP, WINS, and DNS. And it may have more
than one segment. Additionally, although ICS and NAT are envisaged as
being suited to SOHO, it may also have a place in the corporate network.
So be prepared to be flexible in your perceptions of how and when these
services could be deployed. They could even be mixed; for example, a small
branch office could be defined as a SOHO network that connects via the
Internet to your corporate network. Using VPNs in a SOHO environment will
be covered in a later section.www.tartoos.com |
|
|
When you connect a workstation on a
private network to the Internet, your connection will be either routed or translated. The theory of
connecting together two private networks still holds for when you want to
connect your private network to the public Internet. However, in this
scenario, you have the administrative overhead of more carefully managing
and configuring network traffic and security, because you don’t want to
expose your internal networks and resources to unlawful access or unwanted
traffic.www.tartoos.com |
|
|
A translated connection transparently
transfers packets between one network (such as your internal company
network) and another (such as an external network like the Internet). One
computer connected to both networks converts packets from your internal
network (with private addresses) to packets to the Internet (with public
addresses), and vice versa. The benefit of this is that internal addresses
are completely hidden from the Internet, because all traffic appears to
come from the one computer. This is the opposite of a routed connection,
where the source and destination IP addresses remain the same irrespective
of how many hops (routers) the packets have to traverse before reaching
their final destination. With a translated connection, the source and
destination addresses of the computers on the internal network are
converted into the address of the one computer running the translation
service—which is how the IP addresses of computers remain “hidden.” |
|
|
|
|
As outlined earlier, security is one of
the automatic advantages of having a translated connection—and both ICS
and NAT use translation rather than routing. A translated connection is
easier to secure than a routed connection, because hosts on the Internet
will not know the true identity of your workstations (which, for example,
will significantly reduce the risk of Denial of Service attacks).www.tartoos.com |
|
|
Simplicity is another reason to share
an Internet connection—it is easier to set up, configure, and share one
single Internet connection than correctly set up and configure multiple
connections for each computer on your network that needs Internet access.
You can allow multiple computers on your network to have Internet access
without adding additional client software or reconfiguring them.www.tartoos.com |
|
|
Cost is anther factor when considering
whether to share an Internet connection. It is obviously cheaper to have
just one Internet connection with its single associated hardware and ISP
costs and share it among multiple computers than have an Internet
connection on each computer. Also, the administrative overheads of
managing and configuring just one connection rather than multiple
connections will be lower.www.tartoos.com |
|
|
However, some limitations of a
translated connection determine whether ICS and/or the NAT protocol are
suitable. These limitations will be discussed later. |
|
|
Benefits
of ICS and NAT include low cost and low administrative overhead. |
|
|
|
|
Internet Connection Sharing and NAT both
work by offering to workstations on small networks: |
|
|
Address translation |
|
|
Address assignment |
|
|
Name resolution |
|
|
So what’s the difference between ICS
and NAT?
|
|
|
Although similar in purpose, the NAT
protocol offers more functions and greater flexibility than ICS—ICS is a
cut-down, simplified version of NAT. This doesn’t necessarily denigrate
the status of ICS, because in the simplest environments, ICS may be a
better choice over NAT. As a network administrator, it is your
responsibility to know the differences between them, and what each offers
before making an informed choice as to which is better to implement. |
|
|
|
|
|
First, protocols are distinguished by
how and where you configure them. ICS is a feature of the Network and
Dial-Up Connections, while NAT is presented as a routing protocol to be
added and configured through the Routing and Remote Access snap-in. |
|
|
ICS in Windows 2000 offers the
simplest Internet connection service, and can be configured on either a
computer running Windows 2000 Professional or on a Windows 2000 Server.
The ICS computer must have two network connections—one to your internal
network with a private address, and the other to the Internet, which will
use a publicly assigned IP address. Typically, the connection to the
Internet would be a dial-up modem or ISDN adapter, but you could also use
a dedicated connection such as cable modem, DSL, or even a fractional T1
line. Your ISP could statically assign your public IP address to you, or
it could be dynamically assigned when you connect. |
|
|
To configure ICS on Windows 2000
Professional/Server, you use the Make New Connection Wizard to create your
Internet connection, selecting the “Dial-up to private network” option and
specifying the adapter to use with a number to connect to the Internet
(e.g., as supplied by your ISP). ICS is then enabled when you select the
option “Enable Internet Connection Sharing for this connection” in the
Internet Connection Sharing dialog box. If you have already configured
your Internet connection, this option is under the connection’s Properties
| Sharing tab. |
|
|
This option will configure automatic
IP address assignment for the workstations on the private network so that
all workstations on the private network use the same (private) network
address, and it automatically assigns the IP address of 192.168.0.1 to the
internally connected adapter. |
|
|
ICS is suitable for a single segmented
private network with up to 254 workstations, where all workstations are
configured to automatically receive an IP address. It allows you to share
one public IP address among these workstations, providing there are no
other servers on the same segment offering DNS or DHCP services. In such a
configuration it automatically resolves Internet DNS names, but it doesn’t
offer WINS resolution for your internal workstations. The only
configuration is for defining static mappings (discussed later). There may
be some applications and services that will not translate correctly (this
will be discussed later), which may limit what applications you can use
through an ICS connection. |
|
|
To
configure Internet connection sharing, you must be a member of the
Administrators group. |
|
|
|
|
|
NAT can only be run on a Windows 2000
Server through the Routing and Remote Access snap-in, as a routing
protocol. You’ll need to add at least two interfaces to the new NAT
component (minimum of one connected to the Internet and one connected to
your private network), but you can use multiple adapters, which allows you
to use multiple subnets on your private network. The Internet-connected
interface would typically be a dedicated connection such as a fractional
T1 line, DSL, or cable modem, but you can also use it with a demand-dial
adapter/modem. |
|
|
NAT configuration options include
settings for dynamic mappings, static mappings, address assignment, and
name resolution (all discussed later). These options include allowing your
internal clients to automatically receive IP addresses from this server or
from a standard DHCP server (or use static addresses), and whether you
want the NAT server to resolve DNS names for connecting clients. As with
ICS, there may be some applications and services that will not translate
correctly (this will be discussed later), which may limit what
applications you can use through a NAT connection.www.tartoos.com |
|
|
Multiple Public Addresses on the NAT Serverwww.tartoos.com |
|
|
An importance difference with NAT is
that you can use more than one public IP address on the server, which
provides scalability since your internal workstations can be mapped to a
pool of public Internet addresses to take advantage of better throughput
and availability. Or you can more finely control access by assigning
certain services or machines to specific Internet IP addresses—this being
one way of offering secure reverse proxying where a machine on your
internal network is dedicated to offering, for example, an Internet Web
server without revealing its real (private) address. Similarly, you can
use special port mappings where, for example, the default http port 80 is
advertised for your company Web server but the Web server on your private
network is actually hosting this service on port 1234.www.tartoos.com |
|
|
You
cannot use more than one Internet IP address with ICS—only NAT allows you
to do this with either multiple Internet adapters and/or Internet address
pools. |
|
|
You should now be able to answer which
of the two solutions would be more suitable in given circumstances. |
|
|
|
|
|
Scenario & Solution |
|
|
Which Should You Use If... |
ICS or NAT |
|
If you want the easiest solution to set up and
configure. |
ICS is the easiest solution to set up and configure;
it’s simply a check box as one of your Dial-up connection properties. NAT
is more complicated to set up and configure because it offers more a
flexible service. |
|
If you want to use Windows 2000 Professional rather
than Windows 2000 Server? |
ICS can be set up on either Windows 2000 Professional
or Windows 2000 Server, but NAT can only be set up on a Windows 2000
Server with Routing and Remote Access enabled. |
|
If you want to take advantage of a pool of public
Internet addresses for better availability, or reserve an Internet address
just for an Internet Web server on your private network? |
Only NAT allows you to have more than one Internet
address on your single connection. |
|
|
If you want to host Internet services on your internal
workstations with a fractional T1 line. |
Both ICS and NAT allow you do this. |
|
|
You want your workstations to get IP addresses and
other DHCP options from a standard DHCP server, rather than from the
computer hosting the Internet connection. |
Only NAT allows you to do this. |
|
|
You want a choice over how DNS names are resolved. |
Only NAT gives you this choice. |
|
|
You want to configure settings for static mappings. |
Both ICS and NAT allow you do this. |
|
|
You want to configure settings for dynamic mappings. |
Only NAT gives you this choice. |
|
|
|
|
Microsoft offers both a NAT and a Proxy
Server solution for connecting private networks to the Internet, as do
third-party vendors. Conceptually, both solutions offer very similar
functionality, because both allow one machine to transparently connect to
the Internet and convert private addresses into a single public address.
Both have two interfaces to do this, one connected to the private network
and the other to the Internet. Both “hide” the private addresses from the
Internet.
www.tartoos.com |
|
|
The “easy” and theoretical answer to
this is that Microsoft’s Proxy Server is aimed at large and complex
corporate networks, NAT at the medium-small sized networks, and ICS at the
smallest and simplest of networks. However, it’s more useful to know why
these generalizations apply by looking into what services they offer and
their limitations.www.tartoos.com |
|
|
|
|
|
For a start, a proxy server works at
the Session or Application layer, and NAT at the Network layer. While this
may seem to be a theoretical difference only, in practice this means that
additional software and/or reconfiguration is needed on the client
workstations in order to use the proxy server’s services. For example in a
Microsoft Proxy Server environment, a workstation running Windows 2000
Professional on a private network that wants to connect a telnet session
to an Internet host must have the Winsock Proxy Client software installed.www.tartoos.com |
|
|
Additionally, because the conversion
is processed higher up the stack, additional processing is needed at the
workstation and/or the server. Microsoft’s Proxy Server actually offers
three services: Web Proxy, Winsock Proxy, and Socks Proxy. Together, these
three services offer just about any and every Internet application and
service a workstation could need (including IPX clients and non-Microsoft
workstations such as UNIX and Macintoshes).
www.tartoos.com |
|
|
For Web access and FTP, Internet
Explorer 5 can be automatically configured to use proxy servers. However,
for other connections such as Telnet, NNTP, POP3, NFS, and IRC, and for
IPX clients, you will have to install and configure the Winsock Proxy
Client software. Paradoxically, for larger organizations the additional
overhead of configuring the client workstations could be less important
than it might be for smaller networks, because larger organizations are
usually more adept at deploying workstation configuration (e.g., use of
SMS and/or specialist deployment teams).www.tartoos.com |
|
|
|
|
|
For the additional overhead in
configuring a more complex service, as well as additional computer
resources required, a proxy server may be a more expensive solution for a
SOHO environment. In a larger network, Microsoft’s Proxy Server offers
better security and greater flexibility than ICS or NAT. For example, you
can define which services can be used by users and groups, ban access to
specified domains and IP addresses, and set up alerts on packet filtering.
IP address assignment is not a component of Microsoft’s Proxy Server,
which allows greater flexibility for configuring workstations on different
subnets—which is obviously more suited to enterprise environments.
www.tartoos.com |
|
|
Also, Microsoft’s Proxy Server
supports Windows clients that don’t use TCP/IP (workstations running IPX
can use the proxy server to access Internet Web servers). Proxy servers
can also centrally cache Web pages to make better use of Internet
bandwidth, and when you have multiple proxy servers, they can be grouped
together in an array to offer better throughput and availability.www.tartoos.com |
|
|
In short, although NAT and proxy
servers appear to do the same job, they differ in how they technically
achieve this, the flexibility they offer, and the ease of configuration.
If ICS or NAT cannot meet your requirements, it is possible that the
better choice is to use a proxy server irrespective of the size of your
network.www.tartoos.com |
|
|
|
|
There are benefits to using a VPN
connection to securely connect over the Internet to your corporate
network. Normally, VPN users would have to dial up to their ISP first and
then initiate the VPN connection. Using ICS or NAT in Windows 2000 means
each SOHO workstation could create its own VPN connection, but use the
shared Internet connection for the underlying connection. This would allow
each user to securely connect to a corporate network without the need for
additional modems/adapters or individual ISP accounts for his or her own
IP address.www.tartoos.com |
|
|
As with any VPN connection, each user
must have a valid user account to authenticate him or her on the VPN
server, which could be a local account on the VPN server, an account in
the Active Directory, or a RADIUS account.www.tartoos.com |
|
|
The only limitation of tunneling with
NAT is that the tunneling protocol used would have to be PPTP rather than
L2TP/IPSec (because IPSec is one of the protocols that NAT cannot
translate). If you are running Windows 2000 Professional, the default
setting for a VPN connection is to try L2TP/IPSec first and then PPTP. To
decrease your initial VPN connection time, change the Properties of your
VPN connection so the Server Type is set to PPTP.www.tartoos.com |
|
|
|
|
Network address translation works by
translating a private address to a public address, and vice versa. For
example, if a workstation on your private network had the IP address of
10.0.0.2 and it wanted to connect to a Web site on the Internet with an
address of 207.46.131.137 (one of Microsoft’s addresses), it would send
its packet to the Internet via the computer offering the Internet
connection. This computer would have one connection to the private network
(e.g., address 10.0.0.1) and one connection to the Internet (e.g., dial-up
modem with assigned IP address of 162.1.2.3). The translation would keep
the destination address of 207.46.131.137, but would change the source
address to 162.1.2.3. When the reply came back from the Web site (for
example, the data for its homepage), it would send this packet to
162.1.2.3, but the translation service would know that this maps to the
original IP address of 10.0.0.2 and send it to that computer with its
10.0.0.1 interface.
|
|
|
These are the basics of how the
translation service works, but for full Internet services to function, it
works in conjunction with other components such as address assignment and
name resolution. Therefore, the three elements of a network address
translation service are: |
|
|
n
Translation |
|
|
n
Addressing assignment |
|
|
n
Name resolution |
|
|
|
|
|
We have already discussed how one
address is translated into another. The NAT component translates packets
that contain IP addresses, TCP port and UDP port information in the IP,
TCP, and UDP headers. If the application contains any of these in the application header instead of the
IP header, NAT is unable to
directly translate these packets. In other words, for NAT to directly
translate packets between a private network and a public network, the
following must be true: |
|
|
n
Packets have an IP address in the
IP header. |
|
|
And one of the following: |
|
|
n
Packets have TCP port numbers in
the TCP header. |
|
|
or |
|
|
n
Packets have UDP port numbers in
the UDP header. |
|
|
Some protocols do not fulfill these
requirements. For example, PPTP packets cannot be directly translated,
because PPTP doesn’t use a TCP or UDP header—PPTP uses a Generic Routing
Protocol header and, in fact, the tunnel ID in the GRE header identifies
the data. Similarly, FTP stores the IP addresses in the FTP header in the
port command rather than in the IP header. |
|
|
NAT Editors |
|
|
However, these protocols and some
others that do not directly translate will work through Windows 2000 ICS
and NAT because of the addition of
NAT editors. Both ICS and the NAT routing protocol include built-in
NAT editors for FTP, ICMP (e.g., ping packets), and PPTP (for VPN
support), so these can be used with address translation. Examples of
protocols that do not directly translate and for which there are (as yet)
no NAT editors include IPSec and Kerberos. This means you cannot use IPSec
or Kerberos authentication through ICS/NAT, which is one of the major
limitations of these services. |
|
|
Additionally, Windows 2000 NAT
includes proxy software for the following protocols: |
|
|
n
H.323 (for voice and video) |
|
|
n
DirectPlay (for multiplayer gaming) |
|
|
n
LDAP-based ILS registration |
|
|
n
RPC |
|
|
This means that for those protocols,
the computer running ICS or the NAT routing protocol will send out these
protocols directly to the Internet from its public address on behalf of
the client workstation, rather than translating them. |
|
|
When you
install NAT, you will see errors in the Event Log (IDs 33001 and 34001)
that relate to DirectPlay Proxy. This is a known event error and will
appear even if you select to disable NAT event logging. DirectPlay will
only support one client at a time on your private network when using
ICS/NAT. |
|
|
|
|
|
The addressing component refers to how
client workstations obtain an IP address and other related configurations,
including the subnet mask, default gateway, and IP address of a DNS/WINS
server. This configuration is important because it defines how these
clients communicate with each other, the computer offering the shared
Internet services, and ultimately with Internet resources. |
|
|
When the computer offering the shared
Internet service assigns IP addresses, it acts as a simplified DHCP
server. This works well in a small network, since computers running
Windows 2000, Windows NT, and Windows 9x
configured with TCP/IP have a default configuration to be a DHCP client. |
|
|
The DHCP Allocator |
|
|
For ICS, you have no choice over this
component. When you enable ICS, you automatically invoke what is referred
to as the DHCP allocator. A DHCP allocator
is a simplified DHCP service without the database or configurable options.
Invoking the DHCP allocator means that the computer will automatically
assign IP addresses to other workstations on the same subnet using a
private address range, and it will assign the default gateway and the DNS
server to be the same IP address as the computer running ICS. Note there
is no WINS server allocation. |
|
|
When using the NAT routing protocol,
you have a choice of whether to use the built-in DHCP allocator. If you
don’t use the DHCP allocator, you can instead use a standard DHCP server
that has been installed on your network, or use static addresses. If you
are using the DHCP allocator, you can define what address range you want
to use, and exclude addresses that are already in use on your private
network. It would be a wise precaution to add the server’s static IP
address as one of the reserved addresses, whether on this server if
running the DHCP allocator, and/or on other DHCP servers. |
|
|
If you choose to use the DHCP
allocator on the NAT server, it will assign clients an IP address in the
range specified (you can choose the range) and exclude addresses you have
defined. It will also assign the default gateway, and the DNS server to be
the same IP address as the internal interface on the NAT server.
Additionally, if the NAT server is configured with a WINS server on the
internal interface, requests for NetBIOS name resolution from clients will
be sent to that WINS server. |
|
|
If you already have a DHCP server on
your network, you should use that rather than using the NAT DHCP allocator—you
can’t run the two together on the same subnet. In fact, using a standard
DHCP server allows greater flexibility because you can more precisely
define and configure IP address assignment to include DHCP Class options
and the choice of which DNS/WINS server to use. |
|
|
The DHCP
allocator component in ICS and NAT acts as a simplified DHCP server. It is
not the same as running a full DHCP Server, and you cannot disable the
DHCP allocator in ICS. |
|
|
When you are using the DHCP allocator,
it will use the predefined settings listed in Table 29-1. |
|
|
|
DHCP Option Number |
Description |
Option Value |
|
1 |
Subnet mask |
255.255.255.0 |
|
3 |
Default gateway |
IP address of private interface |
|
6 |
DNS server (providing name
resolution is set in NAT) |
IP address of private interface |
|
58 |
Renewal time |
5 minutes |
|
59 |
Rebinding time |
5 days |
|
51 |
IP address lease time |
7 days |
|
15 |
DNS domain |
Primary domain name of computer |
Table 1: DHCP Allocator’s
Predefined DHCP Options that Cannot Be Changed |
|
|
|
|
|
When using the DHCP allocator, both
ICS and NAT assign to clients the DNS server as being the IP address of
the internal interface on the computer offering the Internet connection.
This allows both local and remote DNS names to be resolved. For Internet
name resolution, this means that
DNS proxying will be used to resolve Internet names to IP addresses.
|
|
|
For example, workstation A on your
private network wants to connect to a Web server
www.microsoft.com. Before a connection can be made, it needs to
resolve the name to an IP address—so it uses its DNS server to find the
answer. The DNS server in this case is the IP address of the computer
offering the Internet connection, so when the DNS request for
www.microsoft.com comes in, it queries its own DNS server
specified on the Internet interface (e.g., your ISP’s DNS server), and
when the response comes back, it passes this back to workstation A. |
|
|
You can disable DNS resolution for
clients on the NAT server, but you can’t disable this for ICS. |
|
|
Another solution would be to use your
own local DNS server, which would resolve local names and then forward
unresolved names to the Internet. This is only possible with NAT rather
than ICS, because you can specify not to use IP name resolution and also
disable the DHCP allocator. Instead, workstations could use a local DHCP
server that assigns to clients a local DNS server rather than the IP
address of the NAT server. |
|
|
|
|
|
Resolving NetBIOS names works slightly
differently. There is no WINS server assignment with ICS, which means that
if clients wanted to connect to shares on each other in the form of
\\computer_name\share, this would be resolved by broadcast. On
a single segment and small network this NetBIOS name resolution should not
be a problem, but you may prefer to use an LMHOSTS file to keep such
broadcasts to a minimum. |
|
|
NAT as WINS Proxy |
|
|
With NAT configured to use the DHCP
allocator, the NAT server acts as a
WINS proxy in much the same way as the DNS proxying works, except that
requests would go to the server’s local WINS server rather than out to the
Internet. When a NetBIOS name needs to be resolved to an IP address, the
NAT server will query the WINS server on behalf of the private
workstations and return the IP address to name resolution. However, it
doesn’t register the clients in the WINS database or check for duplicate
names. |
|
|
In practice, this means that if
workstation A wanted to connect to workstation B in the form of a share
name, and both received their IP address assignment from the NAT server,
the name could be resolved. However, if you had another workstation that
didn’t receive its IP address assignment from the NAT server so it was
configured to use the WINS server directly, the name resolution by WINS
would fail, and the resolution would only succeed if a broadcast was
successful (not possible if on a different subnet) or if an LMHOSTS file
was in place. |
|
|
You can see how in all but the
simplest of network configurations, using a full DHCP server rather than
the built-in DHCP allocator on the NAT server allows you to assign
specific DNS and WINS servers to your workstations, which in turn offers
greater flexibility in name resolution. |
|
|
Now that you understand how name
resolution works with ICS and NAT, you should be able to select which is
an appropriate solution depending on your name resolution requirements. |
|
|
Scenario & Solution |
|
|
Should you use ICS or NAT... |
Answer |
|
If you have just a few workstations on
your single segment network with no other servers? |
Both ICS and NAT would work in this situation, but ICS
would the simplest to configure. |
|
If you already have a DHCP server on
your network? |
NAT, because you can disable the DHCP allocator, and
with the full DHCP server assign specific DNS/WINS servers—you can’t do
this with ICS. |
|
If you want to resolve DNS names? |
Both ICS and NAT allow you do this, but only NAT
allows you to disable this option. |
|
|
If you want to resolve local NetBIOS
names? |
Both ICS and NAT allow you to resolve local NetBIOS
names, but NAT allows greater flexibility. ICS does not assign a WINS
server to clients, so names have to be resolved by broadcast or
preconfigured LMHOSTS files. In NAT, the DHCP allocator invokes WINS
proxying. However, you may prefer to disable the DHCP allocator, and
through a standard DHCP server assign a local WINS server to clients so
they can directly register with the WINS server. |
|
|
|
|
So far, in our discussion of how address
translation works, we have mainly concentrated on outbound connections
from a private network to the Internet. We have seen how a mapping occurs
where a private address is dynamically translated into a public address.
It’s dynamic because the ICS computer or NAT server handles the
translation automatically, keeping track of which addresses/ports are
mapped in a mapping table that it periodically refreshes. If these
mappings are not refreshed by users reusing the connection, the mappings
are removed from the table after a set time. For TCP connections, this
time period is 24 hours; for UDP connections, this time period is 1
minute. You can change these default timeouts in NAT, but you cannot
change them in ICS. |
|
|
|
|
|
For dynamic mappings, the default
setting is to translate not just the address, but also the source port.
So, for example, your client workstation initiates a TCP/IP connection
with a source port of 1024, but after translation this goes out as port
5001. This is necessary when you have more private addresses than public
addresses, in order to ensure the same source port is not used again. |
|
|
For example, client workstation A
initiates a TCP/IP connection with source port 1024 and so does
workstation B—the translation of the source port in addition to the
address would be necessary; otherwise, the ICS/NAT computer would attempt
to use duplicate source ports, which is not allowed. Source ports must be
unique to the computer sending out the connection request. There is no
problem sending out the same destination port from the same computer, and
by default, the destination port number is not translated. |
|
|
|
|
|
If you wanted to define in advance how
the addresses and/or ports should be mapped rather than letting the
ICS/NAT computer make this decision, you would have to define a static mapping. The most common
reason for defining a static mapping is if you wanted to host an Internet
resource on one of your client workstations, because the ICS/NAT computer
would need to know where to direct the incoming connection. |
|
|
At
the simplest level, you could define a static mapping so that the public
IP address Internet users call of 162.1.2.3 with TCP port 80 should map to
your internal IP address of 192.168.0.2, port 80. However, you may also
want to change the internal port number for added security, or if the Web
server may be hosting different sites based on different port numbers. |
|
|
If you have multiple Internet
addresses, it would be wise to reserve one for an incoming connection
service such as your company Web server or FTP server, and use the others
for dynamic outbound sessions. You can do this with NAT because it allows
you to use more than one Internet address, but with ICS you can only use
one Internet address. However, ICS does allow you to define static
mappings for both incoming and outbound connections. |
|
|
In ICS, static mappings are configured
with the Application Settings button in
the Sharing tab. In NAT, outbound static mappings are part of the NAT
global properties, and inbound static mappings are part of the Internet
interface properties. Later sections will cover how to configure these for
both services. |
|
|
Static
mapping is a requirement if you want to host Internet services on your
private network. |
|
|
|
|
|
When ICS or NAT receives connection
requests for the Internet from the private network, it assesses whether a
mapping already exists. This could be either a static mapping you have
defined, or a dynamic mapping that is still in memory (the mapping table).
If a mapping already exists, that is used. If a mapping does not already
exist, a new dynamic mapping is created in one of the following ways: |
|
|
n
If NAT is being used with multiple
Internet addresses, and one of these is free, it maps the private address
of the originating workstation to its own public address, and passes
through the source port number unchanged. When the last Internet address
is available, it behaves as if it only had one Internet address. |
|
|
n
If NAT is being used with only one
Internet address, or if ICS is being used, it maps the private address of
the originating workstation to its public address, AND it maps the
original source port number (e.g., 1024) to a new source port number
(e.g., 5000). |
|
|
After the mapping is complete, it will
look to see if a NAT editor is needed, and modify the packet as necessary
before sending it out onto the Internet. |
|
|
|
|
|
When ICS or NAT receives connection
requests from the Internet (which will happen, for example, if you are
hosting your own FTP server on the private network for Internet users), it
assesses whether a mapping exists for the destination address and port
number. If a mapping exists, it will redirect the connection accordingly
to the workstation on the private network (IP address or workstation name,
and port number). If a mapping does not exist,
the connection request is discarded. |
|
|
Additionally, after the mapping is
complete, it will look to see if a NAT editor is needed, and modify the
packet as necessary before sending it to the workstation on the private
network. |
|
|
NAT
automatically offers security against malicious Internet connections,
because dynamic mappings are only used for outbound connections; static
mappings have to exist for inbound connections. |
|
|
|
|
The connection protocol of the Internet
is IP, and for computers to communicate with each other over the Internet,
they need a valid IP address that has been allocated by the Internet
Network Information Center (InterNIC). These addresses are known as public
addresses, and typically an ISP will have a limited range of public
addresses available for customers who want Internet access. A small
business or home office will usually be granted one or more such public
addresses, and the scarcity of these addresses is one reason why Internet
connection sharing is so attractive. |
|
|
|
|
|
Because there is a very real limit on
the number of available public addresses, the InterNIC provided an address
reuse scheme by reserving certain network IDs for private networks. |
|
|
n
10.0.0.0 with the subnet mask
255.0.0.0 |
|
|
n
172.16.0.0 with the subnet mask
255.240.0.0 |
|
|
n
192.168.0.0 with the subnet mask
255.255.0.0 |
|
|
Private addresses cannot receive
traffic directly from Internet locations. This has several implications
for a network that requires an Internet connection. The first is that you
must convert a private address to a public address before you can connect
to the Internet. This is because routers on the Internet will not route
addresses from the private address range. The second is that if private
addressing is being used, this offers immediate security for your
workstations, because traffic can only pass from the Internet to your
network via a network translation service or a routed service. This will
be on designated points on your network (e.g., your NAT server) rather
than having to configure and maintain each workstation’s connection
integrity. |
|
|
IP Addressing Issues on the Internal Network |
|
|
It is highly recommended that you use
private addresses on your network even if you initially have no plans to
connect to the Internet, because changing your IP address scheme if you
later decide to connect to the Internet is not a quick or easy conversion
once connectivity patterns have been established. |
|
|
If you continue to use IP addresses
that are valid public addresses but haven’t been allocated to you by the
InterNIC or an ISP, you will probably be using the same addresses as
another organization on the Internet. This is called illegal or overlapping IP addressing. Not
only do you run the higher risk of unwanted Internet traffic coming into
your private network, but you will also not be able to connect to the
legal IP network, because connections that should be remote will appear as
local and never leave your company network. |
|
|
Private addresses are assumed when
using Internet sharing. With ICS, you have no choice over the internal
addresses—they will be in the 192.168.x.x range. With NAT, you do have the
choice of which IP address range to use, both when configuring the DHCP
allocator on the NAT server itself and when using a full DHCP server.
However, it is strongly recommended you keep to the practice of using
addresses from the private address range. |
|
Exercise 29-1 |
Walkthrough of Address Translation in
Action |
|
|
This exercise is a theoretical
run-through of what happens when address translation is being used for
both the source address and source port, either when using ICS or NAT. |
|
|
1.
Workstation A is a SOHO workstation with a single
network adapter, configured to automatically receive TCP/IP address
assignment, and as such receives the following:
IP address: 192.168.0.2
Subnet mask: 255.255.255.0
Default gateway: 192.168.0.1
DNS server:
192.168.0.1 |
|
|
2.
Workstation B is another SOHO workstation, but
also has a connection to the Internet that is shared. As such, it has two
interfaces:
SOHO interface (for
private network)
IP address: 192.168.0.1
Subnet mask:
255.255.255.0
Internet interface (for public
network—these values assigned by an ISP)
IP address: 130.100.1.2
Subnet mask: 255.255.0.0
Default gateway: 130.100.100.222 (ISP’s
router)
DNS server: 200.100.100.243 (ISP’s DNS server) |
|
|
3.
When workstation A running Internet Explorer
tries to connect to the Web site
www.microsoft.com, it first needs to resolve this DNS name to
IP address. It sends out the DNS query to its DNS server, which is the
computer running the Internet sharing connection. This machine sees the
DNS query, and on behalf of the client, it queries its own DNS server (on
the Internet). When the reply comes back that
www.microsoft.com resolves to the IP address 207.46.130.45, it
passes this information back to workstation A. |
|
|
4.
Workstation A knows that address 207.46.130.45 is
not on its local subnet, so it sends the http request via its default
gateway. The default gateway is the internal IP address of the computer
hosting the Internet sharing. |
|
|
5.
Workstation B receives the packet and passes it
to the Internet via its Internet connected interface (IP address
130.100.1.2), but before it sends it out, it changes the source address
from 192.168.0.2 to 130.100.1.2. It also changes the source port number
from 1026 to 5001. As far as the host on the Internet is concerned, the
call is initiated by the machine with address 130.100.1.2 and source port
5001—and has no knowledge of workstation A with address 192.168.0.2,
source port 1026. |
|
|
6.
When the reply comes back from the Internet host,
it sets the destination address to be 130.100.1.2 and destination port to
be 5001. When the computer running the Internet sharing receives the
packet, it looks in its translation mapping table, finds that this packet
is really destined for workstation A, and changes the destination address
from 130.100.1.2 to 192.168.0.2, and changes the destination port from
5001 to 1026. |
|
|
7.
Further exchange of packets between workstation A
and the Microsoft Web site continue in this manner, with the mapping table
directing packets until workstation A no longer needs to communicate with
this Internet host. The mapping remains in the mapping table for the
default timeout period of 24 hours, and then is discarded. After this
time, any new connection from workstation A to the same host would have to
set up a new dynamic mapping. |
|
CERTIFICATION OBJECTIVE 29.02 |
|
Internet Connection Sharing |
|
|
Now that we have looked at how Internet
connection sharing works in theory, let’s look at how to put this into
practice for a machine running ICS. |
|
|
|
|
You must already have installed and
configured the hardware to connect your computer to the Internet (e.g.,
modem or ISDN adapter), and have a network connection specified to the
Internet that uses this interface (for example, specify your ISP’s
details). |
|
|
Then sharing this connection is simply
a matter of selecting its Properties, then the Sharing tab, and selecting
the check box “Enable Internet connection sharing for this connection.” If
your Internet connection is dial-up rather than dedicated, you will also
need to check the option “Enable on-demand dialing.” |
|
|
At this point, if you only require
dynamic mappings so SOHO workstations can connect to Internet resources,
your job is finished for configuring ICS. However, there may be two
circumstances in which you need to specify static mappings, which you do
with the Settings button on the same
Sharing dialog box. This displays two tabs, one for Applications and one
for Services. |
|
|
|
|
|
The Applications tab allows you to
specify static mappings for outbound connections. You would not normally
need to do this, but it may be required if the application requires
particular port numbers (rather than letting ICS dynamically choose a
number) and/or additional associated connections. For example, some
firewalls are configured to allow through only a certain range of source
port numbers, so if you were connecting over the Internet with this
restriction, you would have to configure a static mapping to ensure the
connection went out with the source port number that was required. Another
example is when using multiuser applications over the Internet (e.g.,
games) that require one or more additional inbound connections. |
|
|
|
|
|
The Services tab allows you specify
static mappings for inbound connections; for example, if you want to offer
Internet services (e.g., a Web server, FTP server, mail or NNTP server) on
your SOHO workstations for other Internet users. Because these connections
will be initiated by other people on the Internet rather than users on
your internal network, the computer running ICS will need to know the
workstation details to which it should map the connection. |
|
|
The Services tab displays a list of
well-known Internet services, such as FTP Server, POP3, and SMTP. For
those not listed, click Add
to specify your own reference name to identify the service (e.g., “company
Web server”), the port number the remote client will be calling (e.g., TCP
port 80 for Web services), and then identify to which workstation it
should be mapped. Then when a connection comes in from the Internet, ICS
will look up its static mapping and direct the call to the correct
workstation on the internal network. |
|
|
|
|
|
FROM THE CLASSROOM |
|
|
Identifying the Workstation |
|
|
How can you know what IP address the
workstation will have if it’s using DHCP? In theory, you may immediately
think that these two are mutually exclusive— if a workstation is using
DHCP, you cannot guarantee what IP address it will have, and therefore, it
is better to specify the workstation name, which remains constant.
However, if you are running a full-time service, the SOHO workstation will
remain up and running and therefore be able to renew its initially
obtained IP address (viewed with ipconfig or winipcfg). Despite this, you
may prefer to identify the workstation by its constant host name. |
|
|
|
|
|
You must
have a dedicated Internet connection to offer incoming Internet services
(such as FTP servers or Web servers) to Internet users |
|
Exercise 29-2 |
Enabling Internet Connection Sharing
for Dynamic Mapping |
|
|
1.
Ensure you are logged on with Administrative
privileges and click on Start | Settings | Network and Dial-up
Connections. |
|
|
2.
Right-click the Internet connection you want to
share (e.g., your dial-up to your ISP) and select Properties | Sharing.
Select the check box “Enable Internet connection sharing for this
connection.” |
|
|
3.
If your Internet connection uses a dial-up
connection rather than a dedicated link, also select the check box “Enable
on-demand dialing.” |
|
|
4.
When you click Ok you will see the dialog box
shown in Figure 29-1, warning you that your internal IP address will be
changed for one supported by ICS. |
|
|
5.
Click Yes. |
|
|
6.
That’s it! Ensure you have no other DHCP servers
on your network, and reboot your SOHO client workstations with DHCP
configuration enabled so that they receive their new automatic IP address
assignment from the ICS computer. |
|
Exercise 29-3 |
Enabling Internet Connection Sharing
for a Static Mapping |
|
|
The most likely time you will want to
do this is if you want to host an Internet resource (e.g., Web server) on
your private network. Ensure you have a dedicated link to the Internet and
have completed the previous exercise. The workstation on your private
network that will be hosting the Web server is called WRKST1-WEB, and uses
the default TCP port of 80. To configure access to this Web server from
the Internet, complete the following: |
|
|
1.
On the Sharing tab, click Settings, and select the Services
tab. |
|
|
2.
In the “Name of service,” type in a name for your
reference, such as Company Web Server. |
|
|
3.
In the “Service port number,” type in 80 and keep the default selection
of TCP rather than UDP. |
|
|
4.
Under the “Name or address of server computer on
the private network,” type in WRKST1-WEB. |
|
|
Your dialog box should look similar to
Figure 29-2. |
|
|
5.
Click Ok
three times to save all your ICS settings. |
|
|
|
|
You will need to configure Internet
Explorer on the client workstations to use Internet sharing, which means a
local area connection rather than a direct Internet connection.
Additionally, Internet Connection Sharing is not using a proxy server or
automatically detecting settings, so options for these should be cleared. |
|
|
The first time Internet Explorer is
started on a particular machine, you will need to complete the following
steps for Internet Explorer 5 on a Windows 2000 Professional computer. |
|
|
1.
Start | Programs | Internet Explorer. |
|
|
2.
When prompted, select “I want to set up my
Internet connection manually, or I want to connect through a local area
network (LAN),” and click Next. |
|
|
3.
Clear the option “Automatic discovery of proxy
server [recommended]”—NAT was not available when IE5 was released! Then
click
Next. |
|
|
4.
You will then be prompted to configure mail
options; either supply these if known, or click No (you can supply them later).
Then click Finish. |
|
|
If you have already set up Internet
Explorer for a direct Internet connection and need to reconfigure it to
use your Internet Connection Sharing service, you will need to complete
the following steps for Internet Explorer 5 on a Windows 2000
Professional. |
|
|
1.
Start | Programs | Internet Explorer. |
|
|
2.
From Tools | Internet Options | Connections,
click “Never dial a connection,” and then click LAN Settings. |
|
|
3.
In the Local Area Network (LAN) Settings dialog
box, ensure that all three check boxes are cleared. These are
“Automatically detect settings,” “Use automatic configuration script,” and
“Use a proxy server.” |
|
|
4.
Click Ok
and Apply. |
|
|
If you have already set up Internet
Explorer for a Proxy Server connection, you will need to deselect these
settings in the Local Area Network (LAN) Settings dialog box as described
earlier, in order to use your Internet Connection Sharing service. |
|
|
Note that these instructions also
apply to workstations if connecting via NAT. |
|
|
|
|
As stated previously, ICS has some
limitations in comparison with the NAT routing protocol when it comes to
sharing an Internet connection. If these limitations are relevant to your
network and/or requirements, you should consider using NAT instead if that
is able to fulfill your requirements. |
|
|
n
ICS cannot disable the DHCP
allocator service, so the full range of DHCP options are not available to
SOHO clients, such as your choice of local DNS and/or WINS server. |
|
|
n
ICS is restricted to using just one
Internet address, so you cannot make use of better throughput and
availability, cannot disable dynamic port mappings, and cannot reserve a
single Internet address for an inbound connection (e.g., Web server). |
|
|
n
ICS cannot be used on a network
already using network services such as DHCP, DHCP Relay, domain
controllers, routers etc. |
|
|
n
You cannot scale ICS by running it
on two computers within the same segment. You can do this with NAT if you
disable the DHCP allocator, which also provides some (not automatic)
backup should one computer/connection fail. |
|
|
n
You cannot mix static and dynamic
IP addresses on the client workstations. |
|
|
n
You cannot exclude addresses from
the DHCP allocator |
|
|
n
ICS can only work in a single
segmented network. |
|
|
n
There is no WINS proxying with ICS,
so either use broadcasts to resolve NetBIOS names or configure and
implement an LMHOSTS file for each workstation |
|
|
n
You cannot as easily monitor ICS.
There is no desktop utility or command to see what addresses have been
allocated, what DNS names have been resolved and what mappings are in
memory. The System Event Log is the only indication of what ICS is doing,
and the information passed to this is limited. |
|
CERTIFICATION OBJECTIVE 29.03 |
|
Network Address Translation |
|
|
You may prefer to use Windows 2000
Server and install a NAT routing protocol to overcome some of ICS’
limitations. However, NAT does require more configuration, which will be
covered in the following sections. |
|
|
|
|
The Routing and Remote Access snap-in
utility is unavailable under Start | Programs | Administrative Tools |
Routing and Remote Access. This is a service on Windows 2000 Server that
needs to be enabled rather than installed, and when it is initially
enabled it will invoke the Routing and Remote Access Server Setup Wizard.
You may also remember that one of the wizard configuration options was to
enable NAT, which when selected will ask whether you wanted to use ICS or
NAT. |
|
|
If you haven’t already configured RRAS
for remote access and/or routing, you can use the wizard to guide you
through setting up NAT. Or, if you are willing to forego your original
RRAS configuration, you can disable RRAS and reenable it to invoke the
Setup Wizard again. |
|
|
If you have already set up and
configured RRAS (e.g., for remote access) and now want to add support for
NAT, you will need to ensure that your RRAS server supports routing, and
then add NAT as a routing protocol. The next step is to add the NAT
protocol to the interfaces you want to use, and review and, if necessary,
configure properties to ensure you have the best setup for your
workstations. |
|
|
The NAT server uses Internet Control
Messages (ICMP) Router Solicitation and DHCP Discover packets to detect if
there are competing DHCP servers or routers on your network. If it gets a
positive response, it will attempt to shut down or disable its own
services. Ensure these are not running before installing the NAT protocol. |
|
|
|
|
You may not have to complete this step
if your server is already configured for routing. If it isn’t or you want
to, check this, select your server under the Routing and Remote Access
snap-in, and select Properties. Here you can select whether to support
routing and remote access. You must have the Router option selected in
order for NAT to work. If you also want to offer remote access on the same
server, ensure the “Remote access server” check box is also selected. |
|
|
|
|
If the Routing and Remote Access snap-in
is already opened with the RRAS service enabled, but no NAT support, you
need to add NAT as if it were a routing protocol. |
|
Exercise 29-4 |
Installing the NAT Protocol |
|
|
1.
Double-click your server from the left console
pane to expand its contends, until you see
IP Routing. |
|
|
2.
Right-click on Routing, and select General. |
|
|
3.
Select New Routing Protocol..., and you will see
a list of routing protocols for selection. |
|
|
Selecting the NAT protocol within RRAS |
|
|
4.
Select Network Address Translation (NAT), and
click Ok. It should appear in the main
console under IP Routing similar to Figure 29-5. |
|
|
|
|
Now that NAT is installed, you will need
to review its default global properties and change these if necessary.
Right-click on the new NAT routing protocol, and select Properties. This
displays the global properties with four tabs. |
|
|
The first tab, General, is fairly self-explanatory, and
is similar to other components under the RRAS snap-in, which provides
various levels of logging in the System Event Log. |
|
|
The Translation tab deals with both
dynamic and static mappings. “Remove TCP mapping after (minutes):” and
“Remove UDP mapping after (minutes)” govern how long a dynamic mapping
remains in memory. The defaults should suffice for most applications (the
1440 minutes for TCP is 24 hours). Clicking Applications on the same tab
allows you create static mappings for outbound connections similar to the
Applications tab option in ICS, allowing you to statically map both IP
addresses and ports if needed. |
|
|
The Address Assignment tab allows you
to specify whether the DHCP allocator should be used (this is the
“Automatically assign IP addresses by using DHCP” check box), and allows
you to specify the private address range that should be used for
connecting workstations. If you are using a static address on your
internal interface, an appropriate range will be suggested from this
setting. Otherwise, the default of 192.168.0.0 with subnet mask of
255.255.255.0 is suggested, but unlike ICS, you can actually change this
here. You can also exclude addresses from this range by clicking Exclude.
If you want to use a standard DHCP server to take advantage of a different
WINS server or some of the advanced DHCP options you get with Windows 2000
DHCP server, uncheck “Automatically assign IP addresses by using DHCP.” |
|
|
“Automatically assign IP addresses by using DHCP” refers to the DHCP
allocator, a cut-down version of the Windows 2000 DHCP service. If this is
unchecked and you do not have a standard DHCP server on your network, NAT
will not work. |
|
|
If you
change the default address range, don’t forget to also change the IP
address of the private interface. It is recommended that you change it to
be the first IP address in the configured range, and then exclude this (by
clicking Exclude). |
|
|
The Name Resolution tab allows you
specify whether the NAT server should resolve DNS names to IP addresses
for connecting clients. If your Internet DNS server is available only over
a dial-up connection, you can additionally specify here which dial-up
connection to use. Note that this tab has nothing to do with NetBIOS name
resolution. |
|
|
|
|
Now that NAT is installed and
configured, you need to tell it which interfaces to use, and configure
their properties.
|
|
|
|
|
|
It’s not enough to just install NAT,
you must tell it which interfaces to use—it won’t automatically use NAT on
all interfaces as you might expect. |
|
|
You must add at least two interfaces
(for example, one adapter on your private network and another on your
Internet modem/adapter). To add interfaces to NAT, select the NAT routing
protocol you have just added, right-click and select Add. You will be able to select your
interface connections from the next dialog box. |
|
|
When you have selected your interface,
you will immediately be presented with its General Properties options. For
your internal connection, select the “Private interface connected to
private network” option. For your external connection, select the “Public
interface connected to the Internet” and also the check box for “Translate
TCP/UDP headers (recommended).” |
|
|
When you configure your Internet
interface as your Public interface connected to the Internet, you will
then see two more Properties tabs: Address Pool and Special Ports. |
|
|
|
|
|
The Address Pool tab is where you
specify multiple public addresses if these have been allocated by your ISP
and you wish to use more than one public IP address on this one server.
Click Add to specify your start and end
range, or if your address range is a power of 2, you can define your range
with one address and a subnet mask. |
|
|
You can also reserve specific IP
addresses with the
Reservations button which may
be applicable if for example you want to keep one address separate for an
Internet service you want to host on one of the workstations. |
|
|
|
|
|
The Special Ports tab allows you
specify static mappings for inbound connections. It corresponds to the
Services tab in ICS where you can specify ports and addresses to which
packets should be sent when they come in to the server from the Internet -
to either the server’s Internet address or to one of the reserved
addresses in the address pool. |
|
|
|
|
When NAT is installed and configured, it
should now look similar to Figure 29-7, which shows one internal adapter
for the private interface and one external adapter for the Internet
connection.
|
|
|
As you can see, you can monitor the
NAT service from the Routing and Remote Access snap-in by viewing
statistics for each NAT interface. The details pane on the right has
columns for the number of mappings, inbound/outbound packets translated or
rejected, and so forth, and when NAT is being used, you will see mappings
dynamically update here.
|
|
|
Additionally the current mappings
table can be viewed for each interface - select your Internet interface,
then right click on
Show Mappings to see exactly
what protocols, ports and addresses are mapped in memory. |
|
|
If you right-click on the Network Address Translation (NAT)
you can select Show DHCP Allocator
Information and Show DNS Proxy
Information to display statistics on these components. Another way to
see the DHCP Allocator Information would be to use Netsh with the
following command:
routing ip autodhcp show global. |
|
CERTIFICATION OBJECTIVE 29.04 |
|
Troubleshooting ICS and NAT |
|
|
The whole of this chapter has included
troubleshooting information by describing how these services work and what
their configuration options are. If you have problems when using ICS and
NAT, rather than blindly running through a list of possible problems and
solutions, think about how these services work so you can better define
what is going wrong and at what stage. |
|
|
For example, first check that you’re
not asking ICS and NAT to do something that is outside their limitations.
For example you can’t run ICS and NAT together on the same computer, and
since these services were designed for the simplest networks you cannot
expect them to run correctly if in competition with other network services
(such as domain controllers, routers, DHCP servers etc). |
|
|
Both of these services will only work
with the TCP/IP protocol – so ensure it is installed and particularly for
ICS ensure that a DHCP client component is also installed (this will be
automatic for later Windows computers such as Windows 9x, Windows NT and
Windows 2000). |
|
|
As with any networking service, ensure
that basic connectivity is not the problem (for example, ping the computer
running ICS or NAT from a workstation, which should check adapters,
cabling, and basic TCP/IP configuration). Ensure that your connection to
the Internet is functioning correctly (try running an Internet application
on the computer running ICS or NAT first, before trying to share that
connection). |
|
|
|
|
When you have verified that the settings
are correct and then checked your configuration of ICS or NAT, some other
common problems and likely problem situations may occur, as discussed in
the following sections. |
|
|
|
|
|
These relate to connectivity
issues—between the client workstation and the ICS/NAT computer, and the
ICS/NAT computer and the Internet resource. |
|
|
n
For ICS, ensure the Enable Internet
Connection Sharing option is set under the Sharing tab. For NAT, ensure
that the server supports routing, and the NAT routing protocol is
installed with at least one internal interface (for your private network
connection) and one external interface (for your Internet connection)
added to the NAT protocol. |
|
|
n
The default private address range
can be changed for NAT, but not for ICS. If you change this, ensure that
the private addresses assigned to the clients are in the same network
address range as the IP address on the private network interface on the
NAT computer. If they are not, your connections will fail. |
|
|
n
Verify that clients have received
the correct TCP/IP configuration by typing on the client computers ipconfig /all (or winipcfg for Win9x). The default TCP/IP address
assignment will be an address in the 192.168.x.x range (although you can
change this with NAT). Additionally, verify that the Default Gateway IP
address corresponds to the IP address on the internal interface of the
ICS/NAT computer. |
|
|
n
If clients do not receive correct
IP address settings, and you have no standard DHCP server on your network,
for NAT ensure you have “Automatically assign IP addresses by using DHCP”
set as a global NAT option. There is no equivalent setting for ICS,
because you cannot disable this in ICS. |
|
|
n
If you have changed the addressing
information on the NAT server so it is not using the default of
192.168.x.x, but you are using the DHCP allocator (“Automatically assign
IP addresses by using DHCP”),
verify that you are using instead one of the other private address ranges
(10.0.0.0 with a subnet mask of 255.0.0.0, or 172.16.0.0 with a subnet
mask of 255.240.0.0). |
|
|
n
If you have a standard DHCP server
on your network and you wish to use this rather than the DHCP allocator
with NAT, uncheck “Automatically assign IP addresses by using DHCP,” and
ensure that your DHCP server is available and configured correctly to
offer to clients an IP address in the same network range as the internal
network adapter on the NAT server. Also ensure that other DHCP options are
set correctly; for example, setting your local WINS server if you have
one, and the IP address of your local DNS server if it is configured to
forward to the Internet. |
|
|
n
Verify that you have entered the
correct IP address, subnet mask, default gateway, and DNS server on the
Internet interface—these would normally be supplied by your ISP. If you
have been given more than one public IP address to use with NAT (you
cannot use more than one with ICS), ensure that you have entered these
correctly in the Address Pool tab of the NAT Internet Interface
properties. If you enter an invalid public address for outbound
connections, you will not be able to use that address, and the translation
will fail because the connection will fail. If you enter an invalid public
address for inbound connections (e.g., you are hosting a Web server for
Internet access on one of your client workstations), your Web server will
be inaccessible to other people on the Internet. |
|
|
|
|
|
This applies to how applications work
through a translated connection. |
|
|
n
If you have specific programs that
do not seem to work correctly through ICS or NAT, but standard programs
(e.g., Web access) are okay, check whether this program can be translated.
If the program runs from the computer with the direct connection to the
Internet, but not from a workstation on the private network, chances are
the application uses packets that may not be translatable. However, before
giving up on it, check with the vendor about how their application works
in a translated environment, because it may just need a certain static
mapping defined to work correctly (multiuser Internet games fall into this
category). |
|
|
n
For incoming connections (e.g., if
you want to host your own Web server on the Internet), ensure that you
have a permanent connection to the Internet, your ICS or NAT computer is
not turned off, you have defined a correct static mapping for the internal
workstation, and the workstation is left switched on with the service
running. |
|
|
n
Unless you specifically need a
one-to-one mapping of source ports (only possible with NAT if you have
multiple public IP addresses), verify that the “Translate TCP/UDP headers
(recommended)” check box on the General tab of the properties of the
public interface is selected. |
|
|
|
|
|
This applies to how “friendly”
Internet names are resolved to IP addresses; for example, if a client
workstation can connect by an IP address (e.g., http://207.46.130.45) but
not through the DNS name (e.g., http://www.microsoft.com). |
|
|
n
Verify that DNS name resolution is
enabled; for ICS, this should be automatic. Use ipconfig (or winipcfg on
Win9x computers) to view the assigned
DNS server—it should correspond to the same IP address as the internal
interface on the NAT server or ICS computer. If you want to use your own
DNS server, you must assign this with a standard DHCP server and disable
the name resolution on the NAT server. Also ensure that your DNS server
can forward to the Internet for nonlocal names. |
|
|
|
|
|
This applies to general configuration
issues for applications, the NAT computer, and the network. |
|
|
n
Ensure that client applications
(e.g., Internet Explorer) are configured correctly for ICS or NAT, rather
than directly connecting to the Internet or via a proxy server. |
|
|
n
On the NAT server, check the status
of both interfaces in the RRAS snap-in. Under IP Routing | General, the
two interfaces should show their correct IP address and that they are
Operational. |
|
|
n
Check that packet filtering on the
interface, server, or a firewall/router isn’t blocking valid packets. You
can easily check whether packet filtering has been enabled on your NAT
interfaces by checking under the Filters column under the relevant
interface in RRAS under IP Routing | General | <interface connection>. |
|
|
|
|
|
Finally this applies to help in
identifying or eliminating problems. |
|
|
n
Check the System Event Log for any
errors or warnings (for example, if it detects any configuration errors or
conflicting services). If problems still persist with NAT, try setting
logging to the maximum, stop and restart RRAS, and then check the System
Event Log again (set maximum logging under NAT properties, General tab). |
|
|
n
Use Network Monitor or an
equivalent to capture and analyze the packets as they travel from the
workstation to the ICS/NAT computer, and from the ICS/NAT computer to the
Internet (if possible). Now you have a good understanding of how ICS and
NAT works, you should be able to verify the packets, or identify where the
problems lie. |
|
Exercise 29-5 |
Detecting a Conflicting DHCP Server |
|
|
How would you know if there was a
conflicting DHCP server on your network? Suppose your NAT server had been
running fine for about a month, and suddenly you came in one day to
discover that some people couldn’t access the Internet from their
workstations. The reason for this is that someone installed a DHCP server
without your knowledge that is allocating a different network
address—which means that workstations will get new IP address assignment
from the DHCP server rather than your NAT server. Because the new address
range is different from the one on your NAT server, the new leases when
obtained will result in workstations being unable to access your NAT
server, and hence be unable to access the Internet. |
|
|
If you can, simulate this by
installing a DHCP server on your network, and configure it to use a
different address range (if it has the same address range, NAT will
continue to work). This exercise steps through some of the troubleshooting
steps you might go through in a similar situation. |
|
|
1.
Ensure that your NAT server is up and
functional—connect one of your workstations to the Internet to verify the
NAT connection. |
|
|
2.
Install a DHCP server that assigns a
different range of IP addresses to your NAT server’s range, and activate
the scope. |
|
|
3.
Stop and restart the RRAS service on the
NAT server. |
|
|
4.
On one of your workstation clients,
release and renew your IP address (e.g., ipconfig /release and then
ipconfig/renew). |
|
|
5.
Try to connect your browser to the
Internet with Internet Explorer. You should receive a “The page cannot be
displayed” message if your connection fails. |
|
|
6.
Check that the NAT server is running and
available—the interfaces both say they are operational, so you know it’s
not an interface failure problem (e.g., modem not functioning). |
|
|
7.
Check that you can access the Internet
resource from the NAT server directly, so you know it’s not a basic
Internet connectivity problem (e.g., ISP link down or Internet resource
not available). |
|
|
8.
Check the System Event Log on the NAT
server;The DHCP allocator (on IP address 10.10.0.1) was disabled in favor
of a standard DHCP server with address 192.168.0.1. |
|
|
9.
You confirm this is the problem on the
workstation by viewing the IP address details (e.g., by typing ipconfig /all). Your choice now
is to either stop the DHCP server if it is not needed, or use the same
address range so workstations can connect to the NAT server. |
|
|
If such a
conflict occurs with ICS, you do not get any errors in the System Event
Log—ICS simply won’t work. |
|
|
Certification Summary |
|
|
To provide a good understanding of
network address translation, this chapter has detailed how it works, with
both its benefits and limitations. In Windows 2000, Microsoft offers
network address translation in two different forms: ICS and NAT. Which one
you use (if at all) will depend on your requirements. Both have advantages
as well as limitations, and it is better to understand thoroughly how they
both work rather than make assumptions. You may instinctively feel that
ICS should only be used when a server is not available and NAT is always
the better choice, but that may not always be the case. To make such
assumptions may cost you in the exam when you are asked on how each
technically works, because they both share many components in common—it is
dangerous to dismiss ICS as the “poor relation!” |
|
|
We looked at how to install and
configure both ICS and NAT, and finally offered suggestions on how to
troubleshoot these services, should you have problems. |
|
|
Lab Question |
|
|
You’ve been given five Internet
addresses from your ISP, and you want to use a shared Internet connection
on your small network that has a DHCP server but no domain controller or
routers. You want to reserve one of these addresses for your company Web
server. What steps should you go through to implement a solution using
network translation? |
|
|
Lab Answer |
|
|
Steps should include: |
|
|
1.
Configure NAT on a Windows 2000 server—if you
want to use a DHCP server, you must disable the DHCP allocator, which you
can’t do with ICS. Additionally, only NAT allows you to use more than one
public address. |
|
|
2.
If not already done so, configure your Internet
connection so you can successfully connect to the Internet from this
machine. |
|
|
3.
If not already done so, enable RRAS with routing
support. |
|
|
4.
Add the NAT routing protocol, and then add it to
the internal interface and the external interface. |
|
|
5.
Disable the DHCP allocator under the NAT global
properties by deselecting the option “Automatically assign IP addresses by
using DHCP.” |
|
|
6.
On the external interface, specify your Internet
addresses under the Address Pools, and with the Reservations button, specify the
Internet IP address that will be used for your company Web server. |
|
|
7.
On the external interface, specify under the
Special Ports tab the workstation IP address or name that will be hosting
the Web server, and the port it will be using. |
|
|
|
|
