Contents Overview 1 Introducing NAT 2 Designing a Functional NAT Solution 6 Securing a NAT Solution 13 Enhancing a NAT Design for Availability and Performance 19 Discussion: Enhancing a NAT Solution 20 Lab A: Designing a NAT Solution 22 Review 30 Module 6: NAT as a Solution for Internet Connectivity Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries/regions. Project Lead: Don Thompson (Volt Technical) Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc. Instructional Design Consultants: Paul Howard, Susan Greenberg Program Managers: Jack Creasey, Doug Steen (Independent Contractor) Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editor: Kristen Heller (Wasser) Copy Editor: Kaarin Dolliver (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Consulting) Multimedia Development: Kelly Renner (Entex) Test Leads: Sid Benevente, Keith Cotton Test Developer: Greg Stemp (S&T OnSite) Production Support: Lori Walker (S&T Consulting) Manufacturing Manager: Rick Terek (S&T OnSite) Manufacturing Support: Laura King (S&T OnSite) Lead Product Manager, Development Services: Bo Galford Lead Product Manager: Ken Rosen Group Product Manager: Robert Stewart Other product and company names mentioned herein may be the trademarks of their respective owners. Module 6: NAT as a Solution for Internet Connectivity 1 Overview  Introducing NAT  Designing a Functional NAT Solution  Securing a NAT Solution  Enhancing a NAT Design for Availability and Performance When an organization decides to connect to the Internet, a primary consideration is how to provide Internet access for users on the private network while protecting private network resources. In Microsoft ® Windows® 2000, the Network Address Translation (NAT) protocol that is provided by Routing and Remote Access provides a solution for Internet connectivity, and protects the resources of private networks. NAT is an appropriate solution for Internet connectivity requirements for organizations that have limited security requirements and a relatively small number of users within each location. At the end of this module, you will be able to:  Evaluate NAT as a solution for Internet connectivity.  Evaluate and create a functional design for baseline Internet connectivity.  Select appropriate strategies to secure a NAT Internet connectivity solution.  Select appropriate strategies to enhance Internet connection availability and improve Internet connectivity performance. Throughout the remainder of the module, NAT is used to describe the NAT protocol in Windows 2000. Note 2 Module 6: NAT as a Solution for Internet Connectivity    Introducing NAT  Design Decisions for a NAT Solution  Features of NAT NAT connects private networks to the Internet while also protecting the private network resources. To design a strategy for providing Internet connectivity by using NAT, you must:  Establish the design requirements for a NAT solution.  Identify how the features provided by NAT support the Internet connectivity design requirements. Module 6: NAT as a Solution for Internet Connectivity 3 Design Decisions for a NAT Solution  Same Security Requirements for All Users  Nonrouted Private Network  Required Private Addressing Internet NAT You must base your decision to use NAT as an Internet connectivity solution on the size of the private network and the security requirements of the organization. NAT is an appropriate solution for Internet connectivity when:  Internet access and access to the private network is not restricted on a user- by-user basis.  The private network consists of any number of users in a nonrouted environment.  The organization requires private addressing for the computers on the private network. 4 Module 6: NAT as a Solution for Internet Connectivity Features of NAT  Translate Public and Private Addresses  Supply IP Configuration to Clients  Forward Name Resolution Requests  Protect Private Network Resources  Integrate into Existing Networks To ensure an effective Internet connectivity solution, you need to understand how the features of NAT support the organization’s connectivity requirements. NAT is one of the protocols supported by Routing and Remote Access in Windows 2000; therefore, to use NAT, you must include Routing and Remote Access in your solution. Translate Public and Private Addresses The network address translation feature of NAT secures the private network by hiding the private network addresses from Internet-based users. Network address translation allows one or more public addresses to be translated to the private Internet Protocol (IP) addressing scheme within the private network. Network address translation is inherent in NAT and necessitates the use of private addressing. For situations where a public address exists for each computer on the private network, you can use IP routing as provided in Routing and Remote Access. Supply IP Configuration to Clients The automatic IP address assignment feature of NAT supplies the IP configuration to client computers on the private network. This feature of NAT eliminates the requirement for a separate DHCP server. You can use automatic IP address assignment to configure any DHCP-compatible client. Forward Name Resolution Requests The name resolution feature of NAT uses DNS proxies to forward requests for name resolution. The NAT server sends client requests to the appropriate DNS servers on the private network, or across the Internet. Note Module 6: NAT as a Solution for Internet Connectivity 5 Protect Private Network Resources NAT protects private network resources from Internet-based users by enabling communications with a specific port on a specific private network IP address. To provide this protection, NAT uses address pools and special ports. The NAT server forwards requests from Internet-based users to the computers on the private network that manage the resource. Integrate into Existing Networks When you integrate NAT into existing networks, consider that NAT:  Supports automatic IP configuration of client computers that use DHCP for configuration.  Provides IP configuration. You must ensure that DHCP servers do not provide IP configuration for the private network.  Supports only the IP protocol, not any other routable protocols such as Internetwork Package Exchange/Sequenced Packet Exchange (IPX/SPX).  Cannot perform address translation on certain protocols. The following is a list of protocols that are not supported by NAT: • Simple Network Management Protocol (SNMP) • Lightweight Directory Access Protocol (LDAP) • Component Object Model (COM) or Distributed Component Object Model (DCOM) Many applications may use DCOM to communicate between clients and servers in a multi-tier solution. • Kerberos Version 5 The Active Directory ™ directory service uses Kerberos V5 protocol, so domain controllers cannot replicate through NAT. • Microsoft Remote Procedure Call (RPC) Many of the Microsoft Management Console (MMC) snap-ins use RPC to communicate between the client and the server. • Internet Protocol Security (IPSec) packets that use IP header encryption For any applications that require the protocols not supported by NAT, use Microsoft Proxy Server 2.0 as the Internet connectivity solution. Note 6 Module 6: NAT as a Solution for Internet Connectivity    Designing a Functional NAT Solution  Integrating NAT into the Existing Network  Selecting NAT Server Options  Discussion: Designing NAT Solutions Your design decisions establish the essential aspects of your NAT solution and provide the foundation for your Internet connectivity design. You make these decisions by:  Determining the placement of the NAT server and the IP address, type of persistence, and data rate of the NAT server interface.  Selecting the appropriate automatic IP address assignment and DNS name resolution feature options. Module 6: NAT as a Solution for Internet Connectivity 7 Integrating NAT into the Existing Network  NAT Server Placement on the Private Network  Interface Address and Subnet Mask Selection  Interface Data Rate and Persistence Selection P r i v a t e N e t w o r k Internet NAT LAN Interface Demand-Dial Interface The NAT server in your network design must have at least two interfaces: one interface that connects to the Internet and one interface that connects to the private network. For each NAT server interface, you must describe the interface characteristics so that you can integrate the NAT server into the existing network. NAT Server Placement on the Private Network You need to place the NAT server between the network segments to localize network traffic and maintain security. The NAT server provided by Windows 2000 is appropriate for connecting the private network to public networks. You must place the NAT server within the private network to:  Isolate the network traffic to the source, destination, and intermediary network segments.  Create a screened subnet within the private network, thereby protecting confidential data.  Exchange network packets between dissimilar network segments, such as between an Ethernet network segment and Integrated Services Digital Network (ISDN). 8 Module 6: NAT as a Solution for Internet Connectivity Select the Interface Address and Subnet Mask When selecting the NAT server interface address and subnet mask, remember that:  Each NAT server interface requires an IP address and subnet mask.  The IP address assigned to the NAT interface must be within the range of addresses that is assigned to the network segment that is directly connected to the interface.  The subnet mask assigned to the NAT server interface must match the subnet mask that is assigned to the network segment that is directly connected to the interface. Select the Interface Data Rate and Persistence Each NAT server interface connects to a private or public network segment. These network segments can be persistent or non-persistent. In addition, the data rates for these network segments can vary considerably. You need to specify the data rate and persistence for each NAT server interface so that the NAT server can connect to private and public network segments. Interfaces that connect to private network segments Private network segments are based on local area network (LAN) technologies that are persistent interface connections. The data rate of the private network segment is determined by the LAN technology, such as 100 megabits per second (Mbps) data transfer rate for 100 Mbps Ethernet. Interfaces that connect to public network segments Public network segments are based on LAN and demand-dial technologies that can be persistent or non-persistent. Public network segments that appear to the NAT server as LAN interfaces are persistent, and the data rate is determined by the LAN technology. Public network segments that appear as demand-dial interfaces are non- persistent, and the data rate is determined by the underlying technology. An example of this would be a 56 Kbps dial-up modem connection that supports a maximum data rate of 56 Kbps. When the public network segments are based on LAN technologies, you can include demand-dial interfaces, such as a VPN connection over a digital subscriber line (DSL) connection. Include a demand-dial interface in your solution when:  An exchange of credentials, such as VPN tunnel authentication, is required to perform authentication.  Charges, such as ISDN connection charges, are accumulated. [...]... IP addressing scheme to be used in each home office Module 6: NAT as a Solution for Internet Connectivity 4 Describe options for improving the availability of the NAT solution 5 Describe options for increasing the performance the of the NAT solution 29 30 Module 6: NAT as a Solution for Internet Connectivity Review Introducing NAT Designing a Functional NAT Solution Securing a NAT Solution Enhancing... the local private network Allow access to resources outside the local private network Note VPN tunnels that use Layer Two Tunneling Protocol (L2TP) are not supported because IPSec can encrypt the IP header and NAT cannot perform address translation Module 6: NAT as a Solution for Internet Connectivity 19 Enhancing a NAT Design for Availability and Performance LAN Interface Internet NAT Demand-Dial Interface.. .Module 6: NAT as a Solution for Internet Connectivity 9 Selecting NAT Server Options Name Resolution Private Network Internet Automatic Addressing NAT DNS Server Automatic IP Address Assignment DNS Name Resolution In addition to providing network address translation, NAT provides automatic addressing and name resolution for private network clients These NAT server options eliminate the need for additional... if NAT is an appropriate solution for these sales representatives? 2 You are a consultant who has been hired to create a design that connects a privately owned chain of bookstores over the Internet Each of the bookstores has about 25 computers that access a point-of-sales application and an inventory control application The applications are Active Directory– aware applications that store the data for. .. Server 7.0 database in the London central sales office are not encrypted How could you ensure that the database updates are encrypted? 3 Allowing customers to access the Web-based order entry and order tracking system has significantly degraded the performance of the NAT server What strategies could you use to improve the performance of the NAT solution? 22 Module 6: NAT as a Solution for Internet Connectivity. .. the applications in a SQL Server 7.0 database How could you use NAT to provide an Internet connectivity solution for the bookstores? Module 6: NAT as a Solution for Internet Connectivity 31 3 A chain of retail clothing stores uses NAT to connect each retail store to the central administrative office over the Internet At the end of each day, the manager of the retail stores exports sales data out of an... private NAT interface The following table lists the interface types and describes the reasons for assigning a filter to each interface Create a filter on the To restrict Internet interface Private network user access to Internet- based resources Private network interface Internet- based user access to private network resources Module 6: NAT as a Solution for Internet Connectivity 15 Filter All Traffic... configuration provides: Support for a mission-critical, Web-based application that allows the customer service agents to manage customers and their billing information Support for a mission-critical, Web-based application that allows customers to make account payments and submit service requests over the Internet Support for all mission-critical applications to be available 24-hours -a- day, 7-days -a- week Internet. .. information, and allow sales managers in the London central sales office to review activity on key customer accounts The repository for the contact information is a SQL Server database in the London office What impact would the selection of the contact management software have on your design? Module 6: NAT as a Solution for Internet Connectivity Securing a NAT Solution Restricting Internet Traffic... resource access Special port mappings enable NAT to examine the IP address and port number of Internet- based requests NAT then forwards the requests to a specific IP address and port number of a resource server within the private network For each resource that you share with the Internet, you must define separate special port mappings in Routing and Remote Access 18 Module 6: NAT as a Solution for Internet . NAT 2 Designing a Functional NAT Solution 6 Securing a NAT Solution 13 Enhancing a NAT Design for Availability and Performance 19 Discussion: Enhancing. Enhancing a NAT Solution 20 Lab A: Designing a NAT Solution 22 Review 30 Module 6: NAT as a Solution for Internet Connectivity Information in