Network Address Translation
Because IPv4 addresses are a scare resource, most ISPs provide only one address to a single customer. In majority of cases, this address is assigned dynamically, so every time a client connects to the ISP, a different address is provided. Big companies can buy more addresses, but for small businesses and home users, the cost of doing so is prohibitive. Because such users are given only one IP address, they can have only one computer connected to the Internet at one time.
Network address translation (NAT) technology was developed to provide a temporary solution to the IPv4 address-depletion problem. NAT is a method of connecting multiple computers to the Internet (or any other IP network) using just one IP address. With a NAT gateway running on this single computer, it is possible to share that single address between multiple local computers and connect them all at the same time. The outside world is unaware of this division and thinks that only one computer is connected.
To combat certain types of security problems, a number of firewall products are available. These are placed between the user and the Internet to verify all traffic before allowing it to pass through. This means, for example, that no unauthorized user is allowed to access the company's file or email server.
NAT automatically provides firewall-style protection without any special setup. The basic purpose of NAT is to multiplex traffic from the internal network and present it to the Internet as if it was coming from a single computer having only one IP address. The TCP/IP protocols include a multiplexing facility so that any computer can maintain multiple simultaneous connections with a remote computer. For example, an internal client can connect to an outside FTP server, but an outside client cannot connect to an internal FTP server because it would have to originate the connection and NAT does not allow that. It is still possible to make some internal servers available to the outside world via inbound mappings, which map certain well known TCP ports (for example, 21 for FTP) to specific internal addresses, thus making services such as FTP or web available in a controlled way.
A modern NAT gateway must change the source address on every outgoing packet to be its single public address. It therefore also renumbers the source ports to be unique, so that it can keep track of each client connection. The NAT gateway uses a port mapping table to remember how it renumbered the ports for each client's outgoing packets. The port mapping table relates the client's real local IP address and source port plus its translated source port number to a destination address and port. The NAT gateway can therefore reverse the process for returning packets and route them back to the correct clients.
Enabling NAT
To enable NAT addressing, follow these steps:
- Open Routing and Remote Access.
- To add NAT, right-click General under IPv4 and select New Routing Protocol. Select NAT and click OK.
- In the console tree, click NAT under IPv4.
- Right-click NAT and then click Properties.
- On the Address Assignment tab, select Automatically Assign IP Addresses by Using the DHCP Allocator check box.
- (Optional) To allocate to DHCP clients on the private network, in IP address and Mask, configure the range of IP addresses.
- (Optional) To exclude addresses from allocation to DHCP clients on the private network, click Exclude, click Add, and then configure the addresses.
To specify the internal and external interfaces, right-click NAT under IPv4 and select New Interface. Select the physical interface and click OK. Specify either Private Interface Connected to the Private Network or Public Interface Connected to the Internet. If you select Public Interface Connected to the Internet, you would then select Enable NAT on This Interface. Click OK.
To forward a protocol to a specific internal server through the NAT server, follow these steps:
- Right-click the public interface and select Properties.
- Select the Services and Ports tab.
- Select the protocol that you want to forward.
- When the Edit Services dialog box appears, specify the private address and click OK to close the Edit Services dialog box.
- Click OK to close the Properties dialog box.
NAT and Teredo
IPv6 traffic that is tunneled with Teredo is not subject to the IPv4 packet filtering function of typical NATs. Although this might sound like Teredo is bypassing the NAT and allowing potentially malicious IPv6 traffic on private networks, consider the following:
- Teredo does not change the behavior of NATs. Teredo clients create dynamic NAT translation table entries for their own Teredo traffic. The NAT forwards incoming Teredo traffic to the host that created the matching NAT translation table entry. The NAT does not forward Teredo traffic to computers on the private network that are not Teredo clients.
- Teredo clients that use a host-based, stateful firewall that supports IPv6 traffic (such as Windows Firewall) are protected from unsolicited, unwanted, incoming IPv6 traffic. Windows Firewall is enabled by default for Windows XP with SP2, Windows Vista, and Windows Server 2008.
If you wish for Teredo to communicate through a Windows Server 2008 computer with the firewall enabled, you have to configure the firewall to allow the use of Teredo.
In this tutorial:
- Routing and Filtering Network Traffic
- Routing and Routers
- Distance-Vector Versus Link-State Algorithm
- Routing and Remote Access Service (RRAS)
- Creating Static Routes
- Demand-Dial Routing
- Managing RIP
- Packet Filters
- Advanced Security for Windows Firewall
- Using netsh Command to Configure the Windows Firewall
- Network Address Translation