Chapter
7, NAT in Internet and Intranet Designs
|1| Chapter 7 Overview
A. Designs That Include NAT
1. Identify the requirements and constraints
for creating a NAT design.
2. Describe the relationship between NAT and
Microsoft Windows 2000.
3. Determine when to use NAT in an Internet
connectivity solution.
4. Identify the NAT design decisions you’ll
need to make.
B. Essential NAT Design Concepts
1. Determine where to place a NAT server in
your design.
2. Configure each NAT server interface.
3. Use NAT to automatically assign IP
addresses.
4. Determine whether to use NAT Domain Name
System (DNS) name resolution in your design.
C. Data Protection in NAT Designs
1. Use NAT to protect SOHO
network resources.
2. Use NAT to restrict outbound Internet access.
3. Use NAT and VPN to protect corporate
network resources.
D. NAT Design Optimization
1. Learn strategies for improving the
availability of your NAT design.
2. Learn strategies for improving the
performance of your NAT design.
Chapter
7, Lesson 1
Designs
That Include NAT
Note There is a difference
between the NAT protocol and NAT devices. NAT, as described in the textbook,
refers to the Windows 2000 protocol provided by Routing and Remote Access.
However, in some settings, NAT might refer to the device on the LAN providing
address translation.
|2| 1. NAT
and Windows 2000
A. The NAT protocol in Routing and Remote
Access
1. NAT supports translated connections
between a SOHO and the Internet.
2. Translated connections allow the private SOHO network to use a private IP addressing scheme.
3. NAT uses IP in Windows 2000 to
communicate with the private network and the Internet.
4. NAT uses the IP routing filters in
Routing and Remote Access to restrict network traffic.
5. NAT allows SOHOs to secure network
resources cost effectively.
Note Keep in mind that NAT is
generally for smaller networks with limited security requirements. For network
designs that require stronger security, you can use NAT in combination with a
firewall or proxy server rather than using NAT alone.
B. NAT and Routing and Remote Access are
services that run on Windows 2000.
1. NAT and Routing and Remote Access are
included in Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced
Server, and Microsoft Windows 2000 Datacenter Server.
2. NAT is not available in Microsoft Windows
2000 Professional.
C. Do not enable IP routing and NAT on the
same computer.
Note Generally you shouldn’t
enable IP routing and NAT on the same computer. To protect private network
resources, IP forwarding (IP routing) should be disabled on the NAT server
interface connected to the Internet.
D. To create NAT designs, you should understand
1. General IP and IP routing theory
2. Firewalls and how to create them
3. The file types and protocols used by
Web-based and IP-based applications
E. NAT has
several advantages over Internet Connection Sharing, a similar product included
with all versions of Windows 2000.
1. Provides more configuration options
2. Supports multiple public IP addresses
3. Lets you specify a range of private IP
addresses for the private network
4. Supports multiple interfaces to the
private network
|3| 2. NAT
Design Requirements and Constraints
A. Collect design requirements and
constraints before creating your design.
1. Amount and confidentiality of data
transmitted through the NAT server
2. Which resources in your private network
need to be accessible to Internet-based users
3. Plans for future network growth
4. Characteristics of existing routers,
including:
a. The protocols that the private network
uses
b. Router placement
c. WAN connections used
5.
Application
response times
6.
Network
availability requirements (uptime)
|4| B. NAT performs network address translation
by modifying the content of
1. IP header
2. Transmission Control Protocol (TCP)
header
3. User Datagram Protocol (UDP) header
4. Data portion of IP packets
Note NAT supports only the IP protocol,
not other routable protocols such as Internetwork Packet Exchange (IPX)/SPX.
C. NAT cannot perform network address
translation on the following protocols:
1. Component Object Model (COM), Distributed
Component Object Model (DCOM)
2. Microsoft Remote Procedure Call (RPC)
3. Kerberos version 5
4. Internet Protocol Security (IPSec)
packets that use the Authentication Header (AH) protocol to provide IP header
encryption
5. Simple Network Management Protocol (SNMP)
6. Lightweight Directory Access Protocol
(LDAP)
D. If your design calls for a protocol that
NAT does not support, use Microsoft Proxy Server 2.0 proxy server solutions or
Routing and Remote Access routing solutions instead.
|5| 3. NAT
Design Decisions
A. Base design decisions on your
organization’s requirements and constraints.
B. Decide what technologies and protocols
your NAT design will support.
1. Types of connections (persistent or
nonpersistent)
2. Types of clients that the NAT server will
support
3. Connection methods
a. T1
b. Public Switched Telephone Network (PSTN)
c. Integrated Services Digital Network
(ISDN)
d. Digital Subscriber Line (DSL)
e. X.25
4. Network traffic filtering criteria
5. Methods for providing access to private
network resources
6. Number of connections
|6| 4. Stand-Alone SOHO
Internet Connectivity Designs
A. Most SOHO
designs are for stand-alone networks.
E.
Stand-alone
SOHO Internet connectivity designs use the NAT server instead of a firewall,
router, or proxy server.
|7| C. Use NAT
to
1. Provide automatic IP configuration to
Dynamic Host Configuration Protocol (DHCP) clients in your private network
2. Use Routing and Remote Access IP filters
to
a. Restrict access to Internet resources
b. Restrict the type of IP traffic sent
through the NAT server
3. Provide automatic network address
translation between the private network and the Internet. NAT supports public
and private IP addressing schemes.
4. Provide cost-effective, shared Internet
access
5. Provide Internet connectivity over any network
interface that Windows 2000 supports
|8| 5. Branch
Office Connectivity Designs
A. Some large organizations include a number
of SOHOs.
B. Employees who work from SOHOs need to
connect to the corporate network.
C. Use VPN tunnels to connect SOHOs in the
private network through the NAT server to the corporate network. This strategy
protects transmitted data.
Note NAT doesn’t provide
user-by-user security. A VPN is the best way to authenticate remote users and
encrypt data in transit.
D. Use VPNs to resolve problems when certain
applications and networking services don’t run correctly through a NAT server.
E. In branch office connectivity designs, NAT
must
1. Meet all stand-alone SOHO Internet
connectivity requirements
2. Protect data transmitted between the
branch office and the corporate network. VPN tunnels can protect the data by
providing authentication and data encryption.
Chapter
7, Lesson 2
Essential
NAT Design Concepts
|9| 1. Placing
NAT in the Network Design
A. Place
the NAT server between the SOHO’s or branch
office’s private network segment and the Internet.
B. When you place the NAT server, do the
following:
1. Isolate all SOHO
or branch office private network segments from the Internet.
2. Enable IP forwarding on all NAT server
interfaces connected to SOHO or branch office
network segments.
3. Disable IP forwarding on the NAT server
interface connected to the Internet.
|10| 2. Determining
NAT Server Interface Specifications
A. Each NAT server needs at least two network
interfaces:
1. One to the Internet
2. One or more to the SOHO
or branch office network
B. Specify the following for each NAT server
interface in your design:
1. Connection type (persistent or
nonpersistent)
2. IP configuration information for all
interfaces connected to IP network segments
a. IP address
b. IP subnet mask
|11| 3. Providing
Automatic IP Address Assignment
A. Decide which IP configuration method to
use for configuring IP information for client computers. Available methods are
1. NAT automatic IP address assignment
a.
Advantages:
(1) Reduces configuration time and errors
(2) Supports multiple segments
(3) Requires no additional purchases
b. Disadvantage: is available only to DHCP
client computers.
2. Manual configuration
a. Advantage: is available for any IP client
f.
Disadvantages:
(1) Is time consuming
(2) Is prone to configuration errors
3. APIPA
e.
Advantages:
(1) Reduces configuration time and errors
(2) Requires no additional purchases
f.
Disadvantages:
(1) Is available only to Microsoft Windows 98,
Microsoft Windows Me, and Windows 2000 clients
(2) Supports only single-segment SOHOs and
branch office networks
Note While APIPA automatically
configures computers, you must manually select the IP address for the NAT
interface.
4. DHCP server
Note In an automatic IP
configuration, no DHCP server should provide the IP address configuration.
e.
Advantages:
(1) Reduces configuration time and errors
(2) Supports multiple network segments
f.
Disadvantages:
(1) Is available only to DHCP client computers
(2) Requires setting up additional computers as
DHCP servers
|12| 4. Providing
DNS Name Resolution
Note Name resolution forwards
DNS name resolution requests from clients on the private network to
Internet-based DNS servers.
A. Client computers in your NAT design need
fully qualified domain names (FQDNs) to access Internet resources.
B. DNS servers resolve requests to these
FQDNs to IP addresses.
C. Specify the DNS server the client
computers will use to resolve FQDNs by doing one of the following:
1. Manually configuring each client computer
to use specific DNS servers
2. Specifying that all client computers
automatically use the DNS server NAT
Chapter
7, Lesson 3
Data
Protection in NAT Designs
Note At the very least, incorporate
NAT security features into designs that include Internet connectivity. Often, SOHO network designs lack basic security devices such as
firewalls.
1. Protecting SOHO
Network Resources
A. In your NAT designs, protecting SOHO network resources is your top security concern.
B. In NAT designs, the NAT server is usually
solely responsible for protecting SOHO network
resources.
C. Base design decisions on your
organization’s security needs.
Note NAT discards by default
any inbound requests for access to the private network. The following methods
let you manage inbound Internet traffic safely.
|13| D. To protect SOHO
network resources, use one of the following methods:
1. Routing and Remote Access IP packet
filters
a. Restrict inbound traffic based on IP
header information
b. Allow you to specify which IP header
information is used to determine how data is filtered
Note Create Routing and Remote
Access filters by specifying the source or destination IP address range and the
protocol type of packets to be filtered.
2. NAT address mapping
a. Provides inbound access to SOHO network resources
b. The NAT server maps requests for the
public IP address with a specific TCP or UDP port number to a resource within
the SOHO network.
g.
Create a NAT
address map entry for each SOHO resource that
Internet users will access.
h.
You can expose
only as many SOHO resources to the Internet as
you have TCP or UDP port numbers.
i.
Works with
single public IP address, which requires you to use additional port numbers to
provide access to multiple resources.
3. NAT address pools
a. Provide inbound access to SOHO network resources
b. The NAT server maps requests for one of
the public IP addresses with a specific TCP or UDP port number to resources
within the SOHO network.
c. Specify the combination of public IP
address and TCP or UDP port number for each SOHO
network resource that Internet users will access.
d. The number of SOHO
resources that you can expose to the Internet is limited by the number of
public IP addresses in the NAT address pool and by the number of TCP and UDP
pools.
e. NAT address pools work with multiple
public IP addresses, which requires you to combine public IP addresses and
additional port numbers to make multiple resources accessible.
E. You cannot use NAT address mapping and NAT
address pools in the same design.
|14| 2. Restricting
Access to Internet Resources
A. In your NAT designs, you may also want to
restrict SOHO network user access to the
Internet.
B. Base design decisions on your
organization’s security needs.
C. Using Routing and Remote Access IP packet
filters is the only way to restrict outbound traffic to the Internet.
Note Routing and Remote Access
IP packet filters specify which IP packets the NAT interface forwards or
rejects.
1. You can specify the criteria for
restricting outbound traffic based on any combination of IP header information.
2. You can allow or disallow SOHO network users to access individual Internet
resources or groups of Internet resources.
3. The design decisions for IP packet
filters in a NAT design are identical to the design decisions in an IP routing
design.
|15| 3. Protecting
Corporate Network Resources
A. If your NAT design requires connectivity
to corporate networks, use VPN to protect confidential data.
Note Use a VPN for things such
as authentication and data encryption, securing access to resources on a
user-by-user basis, and allowing access to a private network from the Internet.
B. To protect confidential
data, use one of the following VPN solutions:
1. Point-to-Point Tunneling Protocol (PPTP)
and Microsoft Point-to-Point Encryption (MPPE)
2. Layer 2 Tunneling Protocol (L2TP) and
IPSec using the Encapsulating Security Payload (ESP) protocol
C. Do not use L2TP and the IPSec AH protocol
in NAT designs.
Chapter
7, Lesson 4
NAT
Design Optimization
Note Dedicating a computer to
run NAT will improve network performance.
|16| 1. NAT
Optimization Techniques
A. You can optimize your design for increased
availability and improved performance.
B. Base your decisions on your organization’s
requirements.
C. NAT does not include optimization methods.
D. Optimize your hardware and Windows 2000
configuration to improve Internet connectivity performance and availability by
1. Dedicating a computer to running NAT.
This prevents problems with unstable applications and over-used system
resources.
2. Choosing a different, persistent Internet
connection with a higher data rate
E. If your design requires better
availability or performance, consider including Microsoft Proxy Server 2.0
proxy servers or Routing and Remote Access–based routing solutions.
|17| Chapter
Summary
A. Using the NAT protocol in Routing and
Remote Access is a cost-effective way to provide Internet connectivity to SOHOs
and large organizations made up of multiple SOHOs.
B. Position the NAT server between the SOHO and the Internet.
E.
Use
Routing and Remote Access packet filters, NAT address mapping, or NAT address
pools to protect SOHO network resources from
unauthorized Internet access.
D. Use VPN to protect confidential data if
your NAT design requires connectivity between SOHOs and corporate networks.
E. Although NAT does not provide any
optimization methods, you can make hardware and Windows 2000 configuration
changes to increase the performance and availability of your design.