8.7.3.3.1            Windows 2000 NAT components

Windows 2000 NAT is installed as an IP routing protocol component of the Routing and Remote Access service provided with Windows 2000 Server. You can use the Routing and Remote Access Server Setup Wizard or install it separately as the Network Address Translation (NAT) IP routing protocol component. Windows 2000 NAT is designed primarily for home networks and small to medium-sized organizations.

Windows 2000 NAT includes editors for FTP, Internet Control Message Protocol (ICMP), and PPTP. Because IP Security (IPSec) traffic is not translatable, even with an editor, private network computers cannot use L2TP/IPSec to make VPN connections to VPN servers on the Internet.

Windows 2000 NAT consists of the following components:

·         NAT translation component

Translates packets between private networks and the Internet. The NAT translation component is enabled by default.

·         DHCP allocator addressing component

Provides IP address configuration information for the private network computers. The DHCP allocator is a simplified DHCP server that allocates an IP address, a subnet mask, a default gateway, and the IP address of a DNS server. You must configure computers on the private network as DHCP clients in order to automatically receive the IP configuration. The DHCP allocator is disabled by default.

·         DNS proxy name-resolution component

Acts as a DNS server for the other private network computers. When the DNS proxy receives name resolution requests, it forwards them to the Internet-based DNS server for which it is configured and returns the responses to the private network computer. The DNS proxy is disabled by default.

Network address translation (NAT) protocol settings

After the Network Address Translation (NAT) routing protocol component is installed, you can use its properties to:

·         Set the frequency in which dynamic mappings for TCP and UDP traffic are removed from the NAT translation table (Translation tab).

·         Specify Internet applications that respond on ports other than the port of the initial connection request (Translation tab).

·         Enable the DHCP allocator and configure both the private address range and any exclusions (Address Assignment tab).

·         Enable the DNS proxy and specify a demand-dial interface (Name Resolution tab).

Public and private interfaces

Interfaces that are added to the NAT routing protocol component must be designated as either a public interface (a single interface connected to the Internet and assigned a public address) or a private interface (an interface connected to a private network segment that uses private addresses).

When you have multiple private interfaces, you should not enable the DHCP allocator. If you do, DHCP-based private computers on separate network segments can communicate with Internet resources, but not with each other.

Public interface settings

On the public interface, you can configure the following settings to specify:

·         Whether to translate TCP and UDP headers (General tab).

·         The public address pool assigned by your ISP (if you have more than one public IP address) and any reserved public addresses (Address Pool tab)

·         Static NAT translation table mappings that allow traffic initiated from Internet computers (Special Ports tab)

Windows 2000 NAT and Internet Connection Sharing

Windows 2000 includes a simplified version of a NAT named Internet Connection Sharing (ICS). ICS can be enabled on the Sharing tab in the properties of a connection in Network and Dial-up Connections. The most significant differences between NAT and ICS are the following:

·         ICS does not allow any configuration beyond specifying a dial-up connection to use and configuring Internet applications that respond on ports other than the port of the initial connection request. Neither the ICS DHCP allocator nor DNS proxy can be disabled. Therefore, you cannot use ICS in an Active Directory environment or where standalone DHCP servers are used.

·         ICS supports only a single private network segment, while NAT supports multiple private network segments.