Configuring Windows Server 2003 to act as a NAT router
http://www.windowsnetworking.com/articles_tutorials/Configuri...
Admin KnowledgeBase Articles & Tutorials Authors Blogs Hardware Message Boards Newsletters RSS Software White Papers Windows Networking logo Site Search Advanced Search
Configuring Windows Server 2003 to act as a NAT router More years ago than I care to think about, IP addresses were handed out to companies on an indiscriminant basis. As the popularity of the Internet increased, IP addresses soon grew to be a scarce commodity. Internet service providers began to strictly limit the number of IP addresses that they would lease to companies. This presented an interesting challenge. A PC has to have an IP address in order to communicate with the Internet, but there weren’t enough IP addresses left for every PC to be given one. The solution to this problem was a technology called Network Address Translation (NAT). Today, NAT is alive and well, and more popular than ever. In this article, I will explain what NAT is and how you can configure Windows Server 2003 to act as a NAT router. Published: Nov 17, 2005 Updated: Nov 17, 2005 Section: Articles & Tutorials :: Windows 2003 Author: Brien M. Posey Printable Version Adjust font size: + Rating: 3.5/5 - 256 Votes 1 2 3 4 1 of 8
3/21/2009 8:50 PM
Configuring Windows Server 2003 to act as a NAT router
http://www.windowsnetworking.com/articles_tutorials/Configuri...
5 Rate this article
What is NAT? So what is NAT? Network Address Translation, or NAT, is a technology that uses a router to share an Internet connection among the PCs on your private network, even though those PCs do not have a valid public IP address. There are both hardware and software NAT routers. In this particular situation, we will be configuring a Windows Server 2003 machine to act as a software based NAT router. As you probably know, a router’s primary purpose is to regulate traffic flow between two networks, and a NAT router is no exception. The server that you will use as a NAT router must have two network interface cards (NICs) installed. One of these NICs will connect to the Internet and the other will connect to the private network. PCs on the private network will then send HTTP requests to the NAT server via the server’s private network connection. The server will then retransmit the request over the Internet on behalf of the client. When the requested Web site responds, the response is sent to the NAT server, which in turn forwards it to the client who made the original request. The client never communicates across the Internet directly.
IP Addressing Considerations As I explained in the section above, a NAT router acts as a gateway between your private network and the Internet. The server that is acting as the NAT router must have two NICs. One of the NICs is connected to the Internet. This NIC must be assigned the IP address that was given to you by your Internet Service Provider. The other NIC connects to your private network. As I mentioned, NAT does not expect you to have valid IP addresses on your private network. Instead, you are basically free to pick an address range at random. There is the off chance that the range that you pick might already be in use by a popular Web site, but I have only seen someone pick an address range that caused problems once. If you want to use an address range that is guaranteed not to interfere with anything on the Internet, you can use the 192.168.x.x address range. After you pick an address range, I recommend setting up a DHCP server so that it will assign addresses from your chosen address range (the DHCP term for an address range is a scope) to the workstations on your network. You must however statically assign an address to the NIC on the NAT server that connects to your private network. For example, if you chose to use the address range 192.168.1.0 to 192.168.1.99, then you might consider assigning the address 192.168.1.0 to the NAT server. You could then use the 192.168.1.1 to 192.168.1.99 address block as your DHCP scope. While you are configuring your DHCP server, there are a couple of other considerations that you need to make. As you may know, DHCP allows you to optionally assign a default gateway and a DNS server to workstations along with an IP address. When doing so, you must set the default gateway address to match the private network address that you assigned to your NAT server.
2 of 8
3/21/2009 8:50 PM
Configuring Windows Server 2003 to act as a NAT router
http://www.windowsnetworking.com/articles_tutorials/Configuri...
You have a few different options when choosing which DNS server address the DHCP server should assign to the workstations on your network. If you don’t have your own DNS server, then the best thing that you can do is to just use the IP address of your Internet service provider’s DNS server. If your network is running Active Directory though, then you already have a DNS server and you should use its address. It doesn’t matter if your DNS server is authoritative for your domain or not. Simply point the workstations to it. You can then set up a forwarder on the DNS Server so that any unresolved queries get forwarded to your ISP’s DNS server. The advantage to pointing clients to your own DNS server rather than to your ISP’s DNS server is that doing so will provide your users with better performance. Your DNS server is local, so queries reach the server more quickly than they would reach a remote server. Furthermore, your DNS server has a built in cache so that popular Web sites do not have to be resolved each time a user visits them.
Setting Up NAT Begin by selecting the Routing and Remote Access command from Windows’ Administrative Tools menu. When you do, Windows will display the Routing and Remote Access console. Locate your server (just below the Server Status). There should be a big red dot to the left of the server, indicating that the server is currently inactive. Now, right click on the server and select the Configure and Enable Routing and Remote Access command from the resulting shortcut menu. When you do, Windows will launch the Routing and Remote Access Server Setup Wizard. Click Next to bypass the wizard’s Welcome screen. You will now see a screen that’s similar to the one that’s shown in Figure A. This screen allows you to select various configurations for Routing and Remote Access (RRAS). RRAS can be configured to do just about anything that you want, but Microsoft has included several templates to make the configuration process easier for common deployment types. Select the Network Address Translation (NAT) option and click Next. Figure A: Select the Network Address Translation (NAT) option and click Next The next screen that you will see, shown in Figure B, is a rather important one to pay attention to. The screen gives you the choice of selecting a network interface that is connected to the external network (usually the Internet) or to select a demand dial interface. In case you are wondering, demand dial is a feature that allows Windows to establish a dial-up connection when ever external connectivity is needed. For the purpose of this article, I am assuming that you have a broadband connection to the Internet. Additionally, I am assuming that the NIC that the broadband connection comes in through has a static IP address assigned to it. You will have to select that network interface. Figure B: Select the NIC that connects the server to the outside world Before you click Next, you should notice that there is a check box that allows you to enable a firewall for the connection. I recommend always selecting this option. The firewall will keep unwanted traffic out of your network. If you need to grant external users access to some service on your network, you have the option of configuring port forwarding to pass packets through the 3 of 8
3/21/2009 8:50 PM
Configuring Windows Server 2003 to act as a NAT router
http://www.windowsnetworking.com/articles_tutorials/Configuri...
firewall to the desired network resource. After you enable the RRAS firewall, click Next and you will see a screen asking you to select the network that will have shared Internet access. Although the dialog box uses some weird wording, it is basically just asking you to select the NIC that is attached to your private network. Make your selection, and click Next, followed by Finish to complete the process.
Conclusion In this article, I have explained how you can use a NAT server as a way of sharing an Internet connection among the users on your network. I then went on to explain how IP addressing should be configured and how to configure RRAS to act as a NAT router.
About Brien M. Posey Brien Posey is an award winning author who has written over 3,000 articles and written or contributed to 27 books. You can visit Brien’s personal Web site at www.brienposey.com Click here for Brien M. Posey 's section.
Share this article Receive all the latest articles by email! Get all articles delivered directly to your mailbox as and when they are released on WindowsNetworking.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the WindowsNetworking.com Monthly Newsletter, written by Dr. Tom Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing! Real-Time Article Update (click for sample) Monthly Article Update (click for sample) Monthly Newsletter (click for sample) Subscribe
Latest articles by Brien M. Posey Working With the Domain Controller Diagnostic Utility (Part 5)
4 of 8
3/21/2009 8:50 PM
Configuring Windows Server 2003 to act as a NAT router
http://www.windowsnetworking.com/articles_tutorials/Configuri...
Working With the Domain Controller Diagnostic Utility (Part 4) Working With the Domain Controller Diagnostic Utility (Part 3) Working With the Domain Controller Diagnostic Utility (Part 2) Network Access Protection, Revisited (Part 9)
Related links Mastering the Windows Server 2003 Resource Kit Setting up a DHCP server in Windows 2003 NAT in Windows 2003: Setup and Configuration Establishing Redundancy through Demand Dial Routing Windows 2000 Configure DHCP Server
Featured Links* Receive all the latest articles by email! Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below! Click for Real-Time sample & Monthly sample Subscribe
Become a WindowsNetworking.com member! Discuss your network issues with thousands of other network administrators. Click here to join!
Community Area Log in | Register
Limited time offer! SolarWinds screenshot Get a free copy of the new SolarWinds Exchange Monitor! Admin KnowledgeBase Articles & Tutorials
5 of 8
3/21/2009 8:50 PM
Configuring Windows Server 2003 to act as a NAT router
http://www.windowsnetworking.com/articles_tutorials/Configuri...
Common for all OSes Dial up Networking, ICS, RAS, ADSL General Networking Network Protocols Network Troubleshooting Product Reviews VoIP Windows 2000 Windows 2003 Windows 95/98/ME Windows NT 4 Windows Server 2008 Windows Vista Windows XP Wireless Networking Authors Brien M. Posey David Davis Mitch Tulloch Peter Schmidt Robert J. Shimonski Russell Hitchcock Andrew Z. Tabona Don Parker Johannes Helmig Blogs Hardware Anti-Spam Hardware Anti-Virus Hardware Firewalls & VPN Mail Archiving Servers Storage Message Boards Newsletter Signup RSS Feed Software Administration tools / Ping & trace utils Backup software Data recovery software Email archiving Help desk software IP PBX Servers Misc. network administrator tools Network inventory software Network monitoring / management Patch Management Remote control software
6 of 8
3/21/2009 8:50 PM
Configuring Windows Server 2003 to act as a NAT router
http://www.windowsnetworking.com/articles_tutorials/Configuri...
Software distribution and metering Storage and quota software Terminal Servers Thin Client Servers White Papers IP PBX, SIP & VoIP FAQ Sponsored by 3CX
Featured Products Readers' Choice Which is your preferred Anti Spam Hardware solution? Abaca Email Protection Gateway Barracuda Spam Firewall Enterprise Interceptor MailFoundry 4100 Anti-Spam PineApp Mail-SeCure SonicWALL Email Security Spam Titan Spamgate-1000 Symantec Brightmail Traffic Shaper Other
TechGenix Sites ISAserver.org The No.1 ISA Server 2006 / 2004 / 2000 resource site. MSExchange.org The leading Microsoft Exchange Server 2007 / 2003 / 2000 resource site. WindowSecurity.com Network Security & Information Security resource for IT administrators. VirtualizationAdmin.com The essential Virtualization resource site for administrators. Admin KnowledgeBase Articles & Tutorials Authors Blogs Hardware Links Message Boards
7 of 8
3/21/2009 8:50 PM
Configuring Windows Server 2003 to act as a NAT router
http://www.windowsnetworking.com/articles_tutorials/Configuri...
Newsletters RSS Software White Papers About Us : Email us : Product Submission Form : Advertising Information WindowsNetworking.com is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers. Copyright © 2009 TechGenix Ltd. All rights reserved. Please read our Privacy Policy and Terms & Conditions.
8 of 8
3/21/2009 8:50 PM