Configure access to services located behind network address translation (NAT)
For a list and more information about all columns hosted by The Cable Guy, click here.
Network Address Translation (NAT) is an IP router defined in RFCs 1631 and 2663 that converts their IP addresses and TCP / UDP port numbers when forwarding packets. For the outgoing packet, the source IP address, and TCP / UDP port numbers are mapped to a common source IP address and a TCP / IP port number that may be changed. For incoming packets, target IP addresses, and TCP / UDP port numbers are mapped to dedicated IP addresses and initial TCP / IP port numbers.
If there is a specific mapping in the NAT conversion table, NAT forwards traffic from the Internet to a private network. For this reason, NAT provides some degree of protection for a computer connected to a dedicated network segment. However, this level of protection has also brought connection problems when you want to allow private network resources to be available on the Internet client.
For example, suppose you install a web server on a private network, the private network with a NAT as boundary, and let your ISP create a domain name system (DNS) record so that your ISP uses it www.example.com Analysis is to be assigned to your public IP address (154.160.0.1). The following conditions will occur when an Internet client initiates communication with the web server on your private network:
1. Users on Internet Web Client Computers (using public IP address 131.107.0.1) Type http://www.example.com in their web browser. 2. The Internet Web client uses DNS to resolve the name www.example.com to address 154.60.0.1. 3. Internet web client computer Sends a Transmission Control Protocol (TCP) synchronization (SYN) section from 131.60.0.1/TCP port 2000 to 154.60.0.1/tcp port 80. 4. When the NAT receives the TCP SYN segment, you will check your own NAT conversion table. 5. This TCP SYN segment will be automatically discarded because there is no entry for the target 154.60.0.1/TCP 80. 6. The Internet web client computer has been trying to finally display an error message.
Since there is no NAT mapping for incoming traffic, resources on the servers in the NAT cannot be accessed from the Internet.
Solving this connection problem is to provide a manual configuration of a static mapping for the traffic from the Internet to the resource server for the NAT. To help send incoming traffic to resource servers on a private web, you can configure any of two types of static mappings:
• You can map all traffic of a particular public IP address to a particular dedicated address (address map). The advantages of such mappings are easy to configure. Since all traffic for the public IP address is forwarded, you do not have to determine the type of traffic based on the TCP and UDP ports running on the private network computer. The disadvantage of such mappings is that the dedicated network computer is now open directly to the Internet, making it easier to attack. You can use Windows XP's Internet connection firewall or other firewall software to help protect private network computers. Another disadvantage is that you must get multiple public IP addresses. At least two public IP addresses: a convertible traffic for the resource server and another for other dedicated network computers. • The advantage of mapping a specific public IP address / port number to a specific dedicated IP address / port number (address / port mapping) This type of static mapping is that the resource server is less susceptible to attack unless mapping by static address / port. The allowed flow is attacked. Another advantage is that you only need to use a public address using the traffic sent to the resource server and the conversion of the private network computer. The disadvantage of this type of image is that additional configuration is required. You must create a static mapping for each service that you want to make the Internet on the resource server. This page
How to allow traffic for services behind NAT computers more information
How to allow the traffic of services behind the NAT computer
Before you configure the NAT computer, make sure the ISP has created a DSN record to resolve the DNS name to the public IP address associated with the resource server.
Used to allow configuration of traffic to the resource server, depending on whether you are using Windows 2000 Server or use Windows Server 2003 & 0153; and you are configuring an address mapping or configuring an address / port mapping.
Windows 2000 Server
Before configuring a Windows 2000 Server-based NAT, you must configure a static IP address configuration on the resource server, including IP addresses, subnet masks, default gateways (private IP addresses for NAT) and DNS servers (also NAT computers) A dedicated IP address).
If the NAT acts as a DHCP distributor of the subnet connected to a private network, the dedicated IP address and subnet mask must be within the IP address of the NAT computer. This is defined on the "Network Address Translation (NAT)" tab of the "Network Address Translation (NAT)" tab of the "Network Address Conversion" tab. In addition, IP addresses allocated to the resource computer must exclude the IP address range assigned to the NAT computer. Therefore, click "Exclude" on the Address Assignment tab.
Address map
To configure an address mapping to the NAT computer running Windows 2000 Server, complete the following steps:
1. Click Start, point to Programs, point to Administrative Tools, and then click Route and Remote Access. 2. In the console tree, open the Server Name, then open "IP Rout", click Network Address Translation (NAT). 3. In the Details pane, right-click your public interface and click Properties. 4. Click the Address Pool tab. 5. If you have already configured the IP address range of the Internet service provider assigned to your public IP address, go to step 10. 6. Click Add. 7. In the Add Address Pool, type the start IP address, subnet mask, and end IP address of a continuous public IP address range. 8. Click OK. 9. Repeat steps 6 to 8 for all ranges corresponding to your public IP address. 10. Click Reserved. 11. In the Reserved Address, click Add. 12. In "Add Reservation Address", type the public IP address corresponding to the resource server in "Keep Public IP Address", type the dedicated network address of the resource server in "This computer on the private network", then select "Allow session to incorporate this address". 13. Click OK to add this address mapping. 14. Click OK to save the changes to the reserved address. 15. Click OK to save the changes to the public interface. Address / port mapping
To configure an address / port mapping to the NAT computer running Windows 2000 Server, complete the following steps:
1. Click Start, point to Programs, point to Administrative Tools, and then click Route and Remote Access. 2. In the console tree, open the Server Name, then open "IP Rout", click Network Address Translation (NAT). 3. In the Details pane, right-click your public interface and click Properties. 4. On the Special Port tab, select "TCP" or "UDP" in the Protocol, and then click Add. 5. In "Add Special Port", configure the following settings:
• In "Public Address", select "On this interface" (if the traffic of the resource server is sent to the common address of the public interface) or "in this address pool entry" (if the resource server uses a retained Public address). If you select "On this address pool entry", type the public address that has been retained. • In "Incoming Port", type the TCP or UDP target port number sent from the Internet to the incoming traffic of the resource server. For example, if the resource server is a web server, you need to type "80" (TCP port 80 is the default web server TCP port). • In "Dedicated Address", type the static dedicated IP address of the resource server. • In "Outlet Port", type the TCP or UDP target port number forwarded by the NAT computer to the traffic server. For example, if the resource server is a web server, you need to type "80" (TCP port 80 is the default web server TCP port). This value and "incoming port" value are usually the same. 6. Click OK to add a special port mapping. 7. Click OK to save the changes to the public interface.
The figure below shows a "Add Special Port" dialog that acts as a web server and using a dedicated IP address 192.168.0.99. For this example, the NAT computer has only a single public IP address. Therefore, "In this address pool entry" option is not available.
View larger image.
The following figure shows the relationship between the traffic of the resource server and its fields in the "Add Special Port" dialog.
View larger image.
Windows Server 2003
Before configuring a Windows Server 2003-based NAT, you must create a static IP address configuration on the resource server, including IP addresses, subnet masks, default gateways (private IP addresses for NAT) and DNS servers (also NAT computers) A dedicated IP address). If the NAT acts as a DHCP distributor of the subnet connected to a private network, the IP address and subnet mask must be within the IP address range of the NAT computer. This is defined on the "NAT / Firewall Basic Properties" dialog of the Router and Remote Access Plugin. In addition, IP addresses allocated to the resource computer must exclude the IP address range assigned to the NAT computer. Therefore, click "Exclude" on the Address Assignment tab.
Address map
In order to configure an address map to the NAT computer running Windows Server 2003, complete the same steps described in the previous address mapping section. However, in step 2, you must open the Server Name and open "IP Rout", then click "NAT / Basic Firewall" (instead of clicking Network Address Translation).
Address / port mapping
To configure an address / port mapping to the NAT computer running Windows Server 2003, complete the following steps:
1. Click Start, point to Programs, point to Administrative Tools, and then click Route and Remote Access. 2. In the console tree, open the Server Name, then open "IP Routing", then click "NAT / Basic Firewall". 3. In the Details pane, right-click your public interface and click Properties. 4. Look at the Service and Port option, in the Service list, position the predefined service that matches the resource server. 5. If there is a matching service, the mapping is enabled by clicking the Service check box, and "on this interface" or "on this address pool entry". If you select "On this address pool entry", type the preserved public address, and then type the dedicated address of the resource server in "Private Address" and perform step 8. 6. If there is no match, click Add. 7. In the Add Service dialog, configure the following options:
• In Service Description, type a description of the service you are configured. • In "Public Address", select "On this interface" (if the traffic of the resource server is sent to the common address of the public interface) or "in this address pool entry" (if the resource server uses a retained Public address). If you select "On this address pool entry", type the public address that has been retained. • In the Protocol, select "TCP" or "UDP". • In "Incoming Port", type the TCP or UDP port number sent from the Internet to the incoming traffic of the resource server. • In "Dedicated Address", type the static dedicated IP address of the resource server. • In "Outlet Port", type the TCP or UDP target port number forwarded by the NAT computer to the traffic server. 8. Click OK to save the service configuration. 9. Click OK to save the changes to the public interface.
Back to top
More information
For more information on the NAT of Windows 2000 Server or Windows Server 2003, please refer to the following resources:
• Windows Server 2003 Product Documentation • Windows 2000 Server Product Documentation (Network / Route and Remote Access) • Windows 2000 Server Resource Toolkit • Windows 2000 Network Address Translation (NAT) (The Cable Guy March 2001)
If you have any questions or you want to post feedback on this column, please contact Microsoft TechNet. Please note that we don't guarantee your letter. For a list and more information about all columns hosted by The Cable Guy, click here. Http://www.microsoft.com/china/technet/community/columns/cableguy/cg0503.mspx
