Configuring Network Address Translation (NAT) in Windows Server 2008



You might typically assign a private address range to an internal network in a small company and use NAT (Network Address Translation) to connect your network to the Internet. Prepared with the IP addresses of your internal hosts and the IP addresses assigned to you by your ISP, run the RRAS Setup Wizard to configure the server for NAT (right-click the server in the RRAS console and select Configure and Enable Routing and Remote Access). Select the option Network Address Translation, click Next, and provide the following information:

1) Use This Public Interface to Connect to the Internet: Select the network interface that is connected to the Internet. This may not actually be a public interface—a firewall or other private network segment may sit between the interface and a public presence on the Internet.

2) Create a New Demand-Dial Interface to the Internet: Select this option if you want to create a new demand-dial interface for the Internet connection.

3) Enable Security on the Selected Interface by Setting Up a Basic Firewall: Select this option to enable a firewall on the interface.

You can also manually add NAT if you have already enabled RRAS for another function. The following steps not only add NAT manually, but also take you through the configuration steps for NAT:

1. First add NAT as a routing protocol, which you do by right-clicking the General node and selecting New Routing Protocol. Select the server in the console tree and expand its node down to NAT. The interfaces (NICs) appear in the details pane on the right.

2. Add the interface to the protocol. Right-click NAT and select New Interface. You will have the option to configure the interface for the internal network or the external network (Internet). Select an interface and click OK to display the Network Address Translation Properties dialog box. Specify whether the interface is connected to the Internet or the private network and click OK.

3. Select the interface to configure and right-click. Then select Properties. The Local Area Connection Properties dialog box will appear.

4. On the Address Pool tab, enter the IP address assignment given by your ISP. In many cases with ADSL, you will be given a dynamically assigned address, which should remain persistent, meaning the same IP address is renewed every time the DHCP lease expires. You can ask an ISP to reserve the number for you as well.

5. On the Services and Ports tab, place a check beside a service that you want translated. The Edit Service dialog box will load.

6. In the Private Address field, enter the IP address of the server hosting the specified service and click OK.

7. If you need to add a service not listed, click Add to open the Add Service dialog box. Enter a name for the service in the Description of Service field.

8. In the Incoming Port field, type the Well-Known port number typically assigned to the IP service in question: for example, port 21 for FTP or port 25 for SMTP.

9. In the Outgoing Port field, type the private port you wish to assign to the same service. It could be a Well-Known port of the outgoing IP service or any port used by your internal resources. (Using high port numbers, such as 5000, provides additional security; this makes it more difficult for hackers to focus on unknown ports.)

10. In the Private Address field, type the private address of the TCP/IP service (typically, the host).

11. Enter the public IP address to be translated (as opposed to the interface) in the field for this address pool entry.

To point clients to the Internet for browsing and other services, you would configure the private outgoing IP address on the NAT as your gateway to the Internet. NAT will translate this address to the correct public address.

You can also configure services and ICMP behavior for the interface. The Services tab permits you to configure NAT translation to allow external requests coming from the Internet to be mapped to servers on the internal LAN. The ICMP tab includes settings that determine how the server reacts to ICMP messages it receives on the interface. You can configure these settings without enabling the firewall on the interface.