Chapter
12, Using Network Address Translation
Chapter
12, Lesson 1
Introducing
NAT
|1| 1. Routing to the Internet
A. To connect a private network to the Internet, you must have a
router that is configured to forward data packets back and forth between the
networks.
1. The
danger in using a standard router to connect a network to the Internet is that
the same technology that enables your network users to see and access computers
on the Internet also enables users on the Internet to see and possibly access
your computers.
2. A normal routed connection to the
Internet requires you to supply all your computers with registered IP
addresses.
3. To use RRAS as an Internet router, you
must have a computer running Windows 2000 Server with a standard local area
network (LAN) connection and another connection to your Internet service provider (ISP).
a. The ISP connection can use a dial-up
modem, Integrated Services Digital Network (ISDN), a cable modem, a leased
line, or any other type of wide area
network (WAN)
technology.
4. After the router is connected to the
Internet, the computers on your network actually become part of the Internet.
a. Your users can now access Internet
services, but at the same time, those registered IP addresses are visible to
other users anywhere on the Internet.
5. Some measure of protection is provided by
share passwords, NTFS file system permissions, and other
Windows security features, but when your computers are visible to the Internet,
someone can eventually find a way to break into them.
|2| B. The alternative to a routed Internet connection is to use
unregistered addresses instead of registered ones.
1. Unregistered addresses are free for
anyone to use, without informing an ISP or the Internet Assigned Numbers Authority (IANA).
2. To avoid duplicating addresses that are
already owned by other networks, IANA has reserved three address ranges for use
by unregistered networks.
a. Because the addresses in these ranges are
not associated with any specific network, they are invisible from the Internet.
(1) Advantage: Internet users cannot send
packets to a computer using an unregistered address, so they cannot penetrate
its security.
(2) Disadvantage: Using unregistered addresses
makes computers inaccessible to all Internet systems, not just potential
intruders.
(a) A Web browser running on an unregistered
computer can send a request to a Web server on the Internet, but the Web server
cannot send a reply back to the browser because it cannot send traffic to the
unregistered address.
(b) The solution to this problem is to use a
service such as NAT, which makes the unregistered computers appear as though
they are accessible from the Internet.
|3| 2. Understanding NAT
A. NAT enables networks to use unregistered IP addresses and still
participate on the Internet.
1. The computers on a network using NAT
still have unregistered IP addresses and are still invisible to the Internet.
2. It is only through an intervening service
such as NAT that private network computers can access Internet servers and
receive replies from them.
B. NAT is a service built into a router that modifies the header
information in IP datagrams before sending them on to their destinations.
1. In a standard (nontranslating) router,
the only changes made to the datagram during the routing process occur
a. In the IP header’s Time to Live value
(which indicates the number of routers the packet has passed through)
b. In certain optional fields (in rare cases)
2. A router that uses NAT modifies the most
crucial header fields in the datagram, the Source IP Address and Destination IP
Address fields in the IP header and, in some cases, the Source
Port and Destination Port
fields in the transport-layer protocol header.
C. Web client/server transaction without NAT
1. When a client application such as a Web
browser running on a computer with an unregistered IP address generates an
Internet service request, it sends the resulting message packets to its default
gateway, which is the router on the network providing access to the Internet.
2. The packets generated by the client
computer have the system’s unregistered address in the Source IP Address field
of the IP header and an ephemeral port number chosen by the client at random in
the Source Port field.
3. The destination IP address is the address
of the Web server and the destination port value is 80, the well-known port for
the Hypertext Transfer Protocol (HTTP) used by Web servers.
4. The NAT router, like all routers, has at
least two network interfaces.
a. One of the interfaces is connected to the
local network, and in this case it has an unregistered IP address so it can
participate on that network.
b. The other interface must have a registered
IP address because it is directly connected to the Internet through an ISP.
c. The two network connections make it
possible for the router to forward packets it receives from the local
(unregistered) network to the destination Web server on the Internet.
5. The Web server can receive the requests
and process them, but without NAT, the replies that the server generates are
directed to the client’s unregistered address, which does not exist on the
Internet.
|4| D. Web client/server transaction with NAT
1. On a translated network (shown on Slide 4),
the router still has one registered IP address and one unregistered one, but it
is also running a NAT service.
2. Upon receiving the requests from the
client, the NAT service reads headers in each packet and creates an entry in a
NAT table that contains the following information:
a. The destination address for the packet
(found in the Destination IP Address field)
b. The destination port (typically the
well-known port number associated with an Internet server)
c. The packet’s source address (which is the
unregistered IP address of the client computer)
d. A substitute ephemeral port number chosen
at random by the NAT server
3. The NAT router then modifies the header
fields in the packets by
a. Substituting its own registered IP address
for the client’s unregistered address
b. Substituting the port number it has
selected for the one generated by the client computer
4. The router recalculates the checksum
values for the headers to reflect the datagram’s changed contents and then
forwards the packets to the Web server on the Internet in the normal manner.
5. The server, having no knowledge of the
client on the unregistered network, processes the requests that seem to have
originated from the NAT router’s address and port number and returns its
replies to that address and port.
6. The NAT router receives the reply packets
from the Web server.
a. Using the information in the NAT table
entry, the NAT router performs the same translation in reverse, substituting
the client’s private address for its own registered address and the client’s
ephemeral port number for its own.
b. The NAT router transmits the reply packets
to the client.
(1) The Web client appears to communicate
directly with the Internet server.
(2) The Web server appears to communicate
directly with a client (actually the NAT router) using a registered address.
(3) To other users on the Internet, only the
router appears to exist; the actual client is totally hidden and protected from
unauthorized access.
3. NAT
Components
|5| A. NAT implementations can take several forms:
1. The service can be integrated into a
hardware device, such as an Internet access router.
2. NAT can be a separate software product,
such as a software router.
3. NAT can be integrated into an operating
system, as is the case with Windows 2000.
|6| B. The core component of any NAT implementation is the translation
component—that is, the network address translator itself.
1. The network address translator actually
modifies the packet headers as they are being routed to their destinations and
keeps track of the clients and their Internet transactions.
2. Every NAT implementation has a
translator, but some implementations have a variety of other components as
well.
C. High-end hardware routers designed to provide Internet access
to large enterprise networks typically have only the translation capabilities.
1. This is because the designers expect the
network to implement any other services that are needed on other computers.
2. The translation process itself already
adds a significant extra burden to the router on a busy network.
a. Including additional services would
increase the cost of an already expensive component and create a single point
of failure.
D. NAT implementations that are intended for use on relatively
small networks often include other services that simplify the process of
deploying an Internet access solution for the entire network.
1. These services are typically designed to
be “all-in-one” Internet access solutions.
a. They include an IP addressing component
and a name resolution component.
2. The IP addressing component is a
simplified Dynamic Host Configuration
Protocol
(DHCP) server, which is configured to supply the client computers on the
network with
a. An unregistered IP address
b. An appropriate subnet mask
c. A default gateway address (which is the
address of the NAT router itself)
d. A Domain Name System (DNS) server address
3. The name resolution component of the NAT
router is either a caching‑only DNS server or a DNS proxy.
a. In either case, the DNS service in the NAT
router receives the recursive name resolution queries generated by the clients
and attempts to resolve them.
b. The difference between a caching-only DNS
server and a DNS proxy is that the
caching-only server sends iterative queries to other DNS servers in an attempt
to resolve the name specified by the client.
c. A DNS proxy receives the recursive
queries from the clients and then sends recursive queries of its own to another
DNS server on the Internet, as specified in the router’s configuration
parameters.
|7| 4. Static and Dynamic Address Mapping
A. NAT can use either static or dynamic mapping.
1. A static mapping is a configuration that
always maps traffic in a specific way.
a. You can map all traffic to and from a
specific private network location to a specific Internet location.
(1) For example, to run an Internet Web server
on a computer on your private network, you create a static mapping that always
associates the unregistered IP address of the Web server to a particular
registered IP address so that Internet users can always access the server at
the same address.
2. Dynamic mappings are created when users
on the unregistered network initiate traffic with Internet locations, such as
when a Web browser connects to a server on the Internet.
a. The NAT router automatically adds the
dynamic mappings to its NAT table and refreshes them with each use so that it
can successfully forward the replies from the server to the client.
b. Dynamic mappings that are not refreshed
are removed from the NAT table after a specified amount of time.
(1) For Transmission
Control Protocol (TCP) connections, the default time-out is 24 hours.
(2) For User Datagram Protocol (UDP) traffic,
the default time‑out is 1 minute.
|8| 5. NAT Editors
A. By default, a NAT server translates only IP addresses and the
port numbers in TCP and UDP headers, which alone makes it compatible with many
Internet applications.
1. If the packets generated by an
application contain IP address and port information only in the IP and TCP/UDP
headers, NAT can translate the packets.
a. The translation enables the client and the
server to communicate transparently.
b. Example: HTTP traffic
B. Some applications and protocols, however, carry IP addresses or
port numbers in places other than the IP, TCP, and UDP headers.
1. For example, the File Transfer Protocol
(FTP) stores IP addresses in the FTP header for the FTP port command.
a. If the NAT server does not properly
translate this IP address, connectivity problems can occur.
2. Because FTP is text-based, the IP address
is stored in dotted-decimal format, and the number of digits in the FTP
header’s translated IP address is not predictable.
a.
The NAT server must be able to translate these values as
well.
C. When the NAT router must translate packet
information outside of the IP, TCP, and UDP headers, a NAT editor is required
on the router.
1. A NAT editor is an installable component
that can properly modify otherwise non-translatable payloads so that they can
be forwarded between unregistered and registered networks.
2. The Windows 2000 NAT implementation
includes built-in NAT editors for the following protocols:
a. FTP
b. Internet Control Message Protocol (ICMP)
c. Point-to-Point Tunneling Protocol (PPTP)
d. NetBIOS over TCP/IP (NetBT)
3. Additionally, the NAT routing protocol
includes proxy software for the following protocols:
a. H.323
b. Direct Play
c. Lightweight Directory Access Protocol
(LDAP)–based Internet Locator Service (ILS) registration
d. Remote procedure call (RPC)
Chapter
12, Lesson 2
Installing
and Configuring NAT
1. Implementing
NAT
A. In Windows 2000 RRAS, NAT is implemented as a routing protocol.
1. On a computer running Windows 2000 Server
where RRAS has not yet been activated, you can configure RRAS as an Internet
connection server, using the Routing And Remote Access Server Setup Wizard.
a. The wizard installs NAT at the same time
and configures RRAS to use it.
2. If you have already configured RRAS, you
can install NAT separately and configure it to work with your existing router
configuration.
2. Installing
NAT with RRAS
A. To install NAT with RRAS:
1. Click Start, and then from the
Administrative Tools program group, open the Routing And Remote Access console.
2. Select the node for your server in the
scope pane, and then from the Action menu, select Configure And Enable Routing
And Remote Access to start the Routing And Remote Access Server Setup Wizard.
3. Click Next to bypass the Welcome page.
|9| 4. On the Common Configurations page, select
Internet Connection Server, and then click Next.
|10| 5. On the Internet Connection Server Setup
page, select Set Up A Router With The Network Address Translation (NAT) Routing
Protocol, and then click Next.
|11| 6. On the Internet Connection page, select
Create A New Demand-Dial Internet Connection.
a.
If you plan to use a dial-in connection to the Internet,
select Create A New Demand-Dial Internet Connection.
(1) A demand-dial connection is one in which
any attempt to access the Internet by a client on the network causes the server
to dial in to the ISP and connect to the Internet.
b.
If your connection to the Internet is a permanent
connection that appears in Windows 2000 as a LAN interface, such as a Digital
Subscriber Line (DSL) or cable modem connection, select Use The Selected
Internet Connection.
(1) Select the network interface providing
Internet access in the Internet Connection list.
c.
Click Next.
|12| 7. On the Applying Changes page, click Next
to start RRAS and the Demand Dial Interface Wizard.
a. The Applying Changes page informs you that
the Routing And Remote Access Server Setup Wizard is saving your settings and
starting the new wizard to create a demand dial connection.
8. Click Next to bypass the Welcome To The
Demand Dial Interface Wizard page.
|13| 9. On the Interface Name page, type a name
for the new connection in the Interface Name text box, and then click Next.
|14| 10. On the Connection Type page, select Connect
Using A Modem, ISDN Adapter, Or Other Physical Device, and then click Next.
|15| 11. On the Select A Device page, select the
modem or other installed device you want the computer to use to connect to the
Internet, and then click Next.
|16| 12. On the Phone Number page, in the Phone
Number Or Address text box, type the number that you want the modem to dial,
and then click Next.
|17| 13. On the Protocols And Security page, click
Next to accept the default settings.
|18| 14. On the Dial Out Credentials page, type the
user name, domain name (if necessary), and password needed to connect to the
ISP’s server.
a. Click Next to proceed to the Completing
The Demand Dial Interface Wizard page.
1.
Click Finish.
a. The Demand Dial Interface Wizard closes
and the Completing The Routing And Remote Access Server Setup Wizard page
appears.
16. Click Finish.
3. Configuring
RRAS to Use NAT
A. Configuring an existing RRAS installation to use NAT
1. If you already have RRAS activated on
your server and configured to provide your network with Internet access, you
might not want to deactivate it in order to add NAT.
a. Deactivating RRAS causes configuration
settings to be lost.
|19| 2. You can install NAT in your existing
configuration and configure RRAS to use it by performing the following
procedures:
a. Configure the computer’s local area
connection to use an unregistered IP address.
b. Create a static route for the interface
providing Internet access.
c. Install the NAT routing protocol.
d. Create one NAT interface for the local
network connection and one for the demand-dial interface.
3. The Routing And Remote Access Server
Setup Wizard automatically performs all these procedures when you use it to
create an Internet connection server configuration.
a. To perform these procedures manually, use
the procedures in sections B–F below.
B. Configuring the local area connection
1. To use NAT for Internet access, your
local network must be configured to use unregistered IP addresses.
2. You can use DHCP to automatically
configure your client computers with the appropriate TCP/IP settings, but for
the RRAS server itself, you must configure the TCP/IP client manually.
3. If your Windows 2000 server has RRAS
already activated, then you must have two network interfaces installed in the
computer.
a. One interface is a standard network
interface adapter that provides the connection to your local (private) network
and the other is a WAN connection to an ISP that provides access to the
Internet.
(1) The Internet connection can take the form
of a modem or ISDN link, which appears as a demand-dial interface in RRAS or a
connection to a particular telephone number in the Network And Dial-Up
Connections window.
(2) The Internet connection can use a second
network interface adapter, as in the case of a cable modem or DSL connection.
b. If two network interface cards (NICs) are installed in the computer, both show up as
Local Area Connection icons in the Network And Dial-Up Connections window.
(1) Be sure to configure the NIC that provides
the connection to your local network, not the NIC providing the Internet
connection.
4. The interface providing the connection to
your local network must be configured to use an IP address in one of the
following three private address ranges:
a. 10.0.0.0–10.255.255.255
b. 172.16.0.0–172.31.255.255
c. 192.168.0.0–192.168.255.255
5. If your computers are currently using
registered IP addresses, you will have to change them to unregistered addresses
so that they can use the NAT router.
6. After you have assigned an appropriate
unregistered IP address and subnet mask to the RRAS server, be sure that the
Default Gateway field in the TCP/IP configuration is left blank.
a. Because the RRAS server itself will be
providing access to the Internet, there is no need for a default gateway
setting here.
C. Creating a static route
1. For RRAS to send all nonlocal traffic
over the interface providing Internet access, you must create a static route in
RRAS.
a. Click Start, and then from the
Administrative Tools program group, open the Routing And Remote Access console.
b. Expand the icon for your server, and then
expand the IP Routing node.
c. Select the Static Routes node, and then
select New Static Route
from the Action menu to display the Static
Route dialog box.
d. From the Interface drop-down menu, select
the name that you assigned to the demand-dial connection providing access to
the Internet.
e. Type 0.0.0.0
in the Destination box.
f. Type 0.0.0.0
in the Network Mask box.
g. Click OK to close the dialog box and
create the static route.
D. Installing the NAT routing protocol
1. To install the NAT routing protocol on an
existing RRAS server:
a. Click Start, and then from the Administrative
tools program group, open the Routing And Remote Access console.
b. Expand the icon for your server, and then
expand the IP Routing node.
c. Select the General node, and then select
New Routing Protocol from the Action menu to display the New Routing Protocol
dialog box.
d. Select Network Address Translation (NAT)
from the Routing Protocols list, and then click OK to add the protocol to the
IP Routing node.
E. Creating NAT interfaces
1. As with the other routing protocols
supported by RRAS, you must create a NAT interface for each of the computer’s
network connections before NAT can process the packets transmitted over them.
2. To create a NAT interface:
a. Select the Network Address Translation
(NAT) node in the scope pane of the Routing And Remote Access console, and then
select New Interface from the Action menu to display the New Interface For
Network Address Translation (NAT) dialog box.
b. In the Interfaces list, select the Local
Area Connection entry that provides access to your local (private) network, and
then click OK to open the Network Address Translation Properties dialog box.
c. Verify that Private Interface Connected
To Private Network is selected, and then click OK to create the interface.
d. Repeat step a to open another instance of
the New Interface For Network Address Translation (NAT) dialog box.
e. Select the interface that provides access
to the Internet in the Interfaces list, and then click OK to open the Network
Address Translation Properties dialog box again.
f. Verify that Public Interface Connected To
The Internet is selected and that the Translate TCP/UDP Headers check box is
selected.
g. Click OK to create the interface.
F. Configuring NAT interface properties
1. After you create a NAT interface, you can
configure its properties at any time by selecting the interface in the detail
pane of the Routing And Remote Access console and selecting Properties from the
Action menu to display the Properties dialog box.
a. For the interface that provides access to
your local network, the only configurable option is whether the interface
represents the connection to your private network or to the Internet.
(1) You should not change this value unless you
incorrectly configured the interface when you created it.
b. The Properties dialog box for the NAT
interface representing the Internet connection contains two additional tabs—the
Address Pool tab and the Special Ports tab—that enable you to configure the IP
addresses and ports that NAT will use when translating packets.
(1) The functions of these tabs are described
below in sections 2 and 3 below.
2. Creating an address pool
a. When you click the Address Pool tab, you
see controls that enable you to specify the registered IP addresses that you
want NAT to use when translating the packets generated by your network’s
clients.
b. Small networks, and particularly ICS
installations, typically use a single registered IP address, assigned by the
ISP, for all the clients on the private network.
c. If you have multiple registered IP
addresses available to you, however, you can configure NAT to use them by
clicking the Add button to open the Add Address Pool dialog box.
(1) In this dialog box, you can specify a range
of IP addresses, or a single address (by using just the Start Address box),
along with a subnet mask.
d. You can create as many ranges in your
address pool as you need to support your IP addresses.
e. The primary reason for creating an address
pool is to assign specific registered IP addresses to certain unregistered
computers on your network.
(1) For example, if you have a Web server on
your private network that you want to be accessible by clients on the Internet,
you can allocate one of the registered addresses in the pool to the Web server’s
unregistered address so that the NAT router forwards all incoming traffic for
that registered address to the Web server.
(2) This procedure creates a permanent entry in
the router’s NAT table so that it always processes traffic sent to the
registered address you specify in the same way.
f. To reserve an IP address:
(1) Click Start, and then from the
Administrative tools program group, open the Routing And Remote Access console.
(2) Expand the node for your RRAS server and
browse to the Network Address Translation (NAT) node.
(3) Select the NAT interface representing the
server’s connection to the Internet, and then select Properties from the Action
menu to open the Properties dialog box for the interface.
(4) Click the Address Pool tab.
(5) Click Reservations to open the Reserve
Addresses dialog box.
(6) Click Add to open an Add Reservation dialog
box.
(7) In the Reserve This Public IP Address box,
type the registered address you want to use.
(a) In the For This Computer On The Private
Network box, type the address of the unregistered computer you want to assign
it to.
(b) The registered IP address you supply must
be in the address pool you have already configured.
(8) Select the Allow Incoming Sessions To This
Address check box.
(a) If you do not select this check box,
clients on the Internet will not be able to initiate communications with the
computer using the unregistered address you have specified.
(9) Click OK to create the reservation.
(10) Repeat steps (6)–(9) to create additional
reservations if necessary.
(11) Click OK twice to close the Reserve Addresses
dialog box and the Properties dialog box.
3. Creating special ports
a. The Special Ports tab in the interface’s
Properties dialog box enables you to create permanent mappings at the port
level, rather than at the IP address level.
b. This tab enables you to direct the traffic
arriving at a specific port on one of your registered IP addresses to a
specific port an any one of your unregistered network computers.
(1) You can, for example, map all HTTP traffic
arriving over the Internet interface to a single Web server on your local
network by mapping port 80 for all your registered addresses to port 80 on a
specific unregistered address.
c. To create a special port mapping:
(1) Open the Properties dialog box for the NAT
interface representing the server’s connection to the Internet.
(2) Click the Special Ports tab.
(3) In the Protocol drop-down list, select the
protocol (TCP or UDP) for which you want to create a port mapping.
(4) Click Add to open the Add Special
Port dialog box.
(5) In the Public Address box, specify whether
you want to map a port for the entire interface or for one specific IP address.
(a) If you want one specific IP addresss, type
the registered IP address in the box provided.
(6) In the Incoming Port
box, type the port number in the incoming packets that you want to map.
(7) In the Private Address box, type the
unregistered IP address of the computer you want to receive the mapped packets.
(8) In the Outgoing Port
box, type the port number that the computers on the local (private) network
will use for outbound traffic.
(9) Click OK to create the port mapping.
(10) Repeat steps (3)–(9) to create additional
mappings, if necessary.
(11) Click OK to close the Properties dialog box.
|20| 4. Configuring
NAT Properties
A. In addition to the properties for specific NAT interfaces, you
can also configure properties for NAT itself.
1. You do this by selecting the Network Address
Translation (NAT) node in the Routing And Remote Access console’s scope pane
and selecting Properties from the Action menu to display the Network Address
Translation (NAT) Properties dialog box.
2. In the General tab, you configure the
logging options for the NAT protocol by specifying the amount of NAT
information that RRAS should save to the log.
3. In the Translation tab, you can specify
the amount of time that TCP and UDP entries should remain in the NAT table.
a. By clicking the Applications button in the
Translation tab, you open an Applications dialog box in which you can create
mappings to support specific applications that use nonstandard port numbers.
B. Configuring IP addressing
1. In the Address Assignment tab, you can
enable NAT to automatically configure clients on the unregistered network with
the IP addresses and other settings they need to use the NAT router.
a. This feature is a simplified subset of the
DHCP server included with Windows 2000 Server.
2. If you have already deployed a DHCP
server on your network (either on the server running NAT or elsewhere), you do
not need to activate NAT’s Address Assignment function.
3. The Address Assignment function is simple
to deploy, and it provides few customizable settings.
a. Selecting the Automatically Assign IP
Addresses By Using DHCP check box enables the feature.
b. The IP Address box contains the private
Class C network address 192.168.0.0 by default, with a Mask value of
255.255.255.0.
c. You can modify the address or the mask as
needed, and you can click the Exclude button to prevent specific addresses on
the network from being assigned by DHCP.
d. If you plan to create IP address mappings
so that specific computers on your unregistered network are accessible from the
Internet, you must
(1) Manually configure the TCP/IP settings on
those unregistered computers
(2) Exclude the addresses you assign them from
assignment by any DHCP server on your network
e. In addition to providing IP addresses and
a subnet mask, this DHCP implementation supplies clients with a default gateway
address and a DNS server address (if the NAT name resolution component is
enabled).
(1) Both the default gateway address and the
DNS server address are the address of the NAT router itself and cannot be
modified.
C. Configuring name resolution
1. In the Name Resolution tab, you specify
whether you want to activate the DNS proxy provided by the NAT protocol.
a. To activate this feature, select the
Clients Using Domain Name System (DNS) check box.
(1) NAT’s address assignment component supplies
clients with the NAT router’s IP address as a DNS server address.
2. Upon receiving name resolution requests
from clients, the NAT router passes them on to the DNS server specified in the
RRAS computer’s own TCP/IP configuration.
3. By selecting the Connect To The Public
Network When A Name Needs To Be Resolved check box, you can control whether a
demand-dial connection is triggered by DNS name resolution requests.
4. If you decide not to use the DNS proxy
included with NAT, you must supply each of your clients with an alternative DNS
server address, either by manually configuring them or using a full DHCP
implementation.
Chapter
12, Lesson 3
Installing
Internet Connection Sharing
1. Differentiating
ICS and NAT
A. Both ICS and NAT are included in RRAS, and both use the same
network address translation technique to enable computers with unregistered IP
addresses to share an Internet connection.
1. ICS differs from NAT mainly in that it is
a “light” version of the protocol that is far simpler to install and use.
2. Other differences between ICS and NAT
a. ICS is less flexible than NAT.
|21| b. ICS is included in all versions of Windows
2000, including Microsoft Windows 2000 Professional, but NAT is part of RRAS,
which is included only in the Windows 2000 Server operating systems.
c. ICS is activated through the Network And
Dial-Up Connections Control Panel, but you install and configure NAT using the
Routing And Remote Access console.
d. ICS can use only a single registered IP
address when translating the Internet packets generated by an unregistered
network; NAT can use multiple IP addresses.
e. NAT can map specific registered IP
addresses to specific unregistered addresses to make a computer on the
unregistered network accessible to Internet clients; ICS cannot.
f. ICS can link only one LAN to one
registered IP address; NAT can support multiple LANs with different IP
addresses.
g. ICS automatically uses its address
assignment component using a fixed range of unregistered IP addresses. With
NAT, you can control whether to use address assignment and specify the
addresses to be assigned.
2. Installing
ICS
A. As with any other NAT implementation, your computer must have
two network interfaces to use ICS.
1. One interface connects to the local
network and the other connects to an ISP.
2. The local network connection must use a
standard NIC, and the Internet connection can use a dial-up modem or a
NIC-based interface (such as a cable modem or DSL connection).
|22| B. To
install ICS on a computer running Windows 2000:
1. Click Start, point to Settings, and then
select Network And Dial-Up Connections to open the Network And Dial-Up
Connections window.
2. Click the icon representing the
connection to your ISP (the connection you want to share), and then select
Properties from the File menu to open the Properties dialog box for the
connection.
a. If you are using a dial-up connection to
the Internet, the icon representing the connection is labeled with the name
that you assigned when you created the connection.
b. If your Internet connection uses a NIC,
the icon is labeled Local Area Connection, possibly with a numeral as well.
c. The NIC connection to your local network
is labeled the same way.
d. Be sure to select the correct connection
before you proceed to enable ICS.
3. Select the Sharing tab.
4. Select the Enable Internet Connection
Sharing For This Connection check box, and then click OK.
a. The For This Connection selector lists all
the local area connections in the Network And Dial-Up Connections window.
b. If you have more than one local area
connection, select the connection representing the local network with which you
want to share the Internet connection.
5. If
you are using a dial-up connection to the Internet, verify that the Enable
On-Demand Dialing check box is selected.
a. By default, ICS causes dial-up Internet connections to use
on-demand dialing so that any user on the network can trigger a connection to
the Internet on the ICS computer by attempting to access an Internet service.
b. You can disable on-demand dialing by
clearing this check box.
(1) If you disable on-demand dialing, the user
on the ICS computer must initiate a connection to the Internet before anyone on
the network can access Internet services.
6. Click OK to close the connection’s
Properties dialog box.
C. Although the process is invisible to the user, activating ICS
on a computer running Windows 2000 performs a number of configuration tasks
behind the scenes.
|23| 1. Sharing an Internet connection with ICS
causes Windows to do the following:
a. The ICS service is started and configured
to load automatically when Windows 2000 starts.
b. The Local Area Connection you selected in
the For Local Network box in the Sharing tab of the connection’s Properties
dialog box is reconfigured with an IP address of 192.168.0.1 and a subnet mask
of 255.255.255.0.
c. The ICS address allocation component is
enabled and configured to provide DHCP clients with IP addresses ranging from
192.168.0.2 to 192.168.0.254 and a subnet mask of 255.255.255.0.
(1) Both the default gateway and the DNS server
value supplied to the clients are the address of the computer running ICS.
(2) There is no way to modify the allocated
settings or disable the address allocation component without disabling ICS.
d. The ICS name resolution component is
enabled, which causes the ICS computer to function as a DNS proxy, receiving
DNS name resolution requests from clients and forwarding them to the DNS server
the computer is configured to use.
D. The only remaining task needed to enable ICS is to make sure
that all the client computers on the network
1. Have properly installed network
interfaces
2. Are configured to obtain their TCP/IP
configuration settings using DHCP
3. Configuring
ICS
A. ICS is preconfigured to provide clients with standard Internet
connectivity.
B. Once you have enabled ICS, you can configure the service to
support other applications by clicking the Settings button in the Sharing tab
of your Internet connection’s Properties dialog box.
1. This opens the Internet Connection
Sharing Settings dialog box.
C. Using the Applications tab
1. In the Applications tab, you can create port
mappings for outbound traffic to support applications with unusual
communications requirements.
2. To create a mapping, click Add to open
the Internet Connection Sharing Application dialog box.
3. In the Name Of Application box, type the
name of the application.
a. In the Remote Server Port Number box,
specify the port number your client computers will use when connecting to a
server on the Internet that is running the application.
4. Click the TCP or UDP option button to
specify which transport-layer protocol the outbound messages should use.
5. In the Incoming Response Ports boxes,
specify which port numbers the Internet server should use when sending traffic
back to the clients on your network.
6. You can supply multiple port numbers in
both the TCP and UDP boxes.
7. Click OK to create the application entry.
D. Using the Services tab
1. In the Services tab of the Internet
Connection Sharing Settings dialog box, you can configure ICS to permit
Internet users to access services on your unregistered network.
2. The Services list contains six of the
most common applications you might want to share with Internet users.
a. You can enable any of these applications
by selecting its check box.
b. In the Internet Connection Sharing Service
dialog box, you must identify the computer on your private network that you
want to receive all traffic going to the well-known port number associated with
that application.
3. In addition to the six preconfigured
services, you can create additional services by clicking the Add button in the
Services tab to display a blank Internet Connection Sharing Service dialog box.
a. Type a name for the service in the Name Of
Service text box.
b. Specify the port number the service uses
in the Service Port Number box.
c. Specify whether the service uses TCP or
UDP by clicking the appropriate option button.
d. In the Name Or Address Of Server Computer
On Private Network text box, type the DNS name or IP address of the computer on
your unregistered network that you want to receive the traffic.
e. Click OK to create the new entry in the
Services list that uses your parameters.