Configuring NAT

For the purpose of this example, I’m going to assume that we’re using NAT overloading (PAT) to allow our internal clients to access the Internet through a single public IP address. We’ll also create a static inbound mapping to allow external clients to gain access to a web server on our private network. The network properties used in this example are the same as those found in this figure.

Our first step involves configuring interface Ethernet 0 with its private IP address, and designating it as the internal NAT interface. The ip nat inside command designates an interface as internal.

Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0
Router(config-if)#ip address
Router(config-if)#ip nat inside

The next step involves configuring Serial 0 with an IP address, and specifying it as the external NAT interface. External NAT interfaces are defined with the ip nat outside command.

Router(config-if)#int s0
Router(config-if)#ip address
Router(config-if)#ip nat outside

Depending on the NAT technique being used, a range of IP addresses could be configured as part of the NAT “pool”. Because we’re using NAT overloading, this “pool” will only consist of a single address – The subnet mask associated with an address pool is specified with the prefix command.

Router(config)#ip nat pool Toronto prefix 28

After the pool is defined, it needs to be configured for overloading. This is accomplished using the command shown below, which defines an access list. In this example, access list 88 allows us to control which addresses can access the Internet via NAT.

Router(config)#ip nat inside source list 88 pool Toronto overload
Router(config)#access-list 88 permit

Assuming that internal clients are configured with addresses in the range, and that their default gateways are set to, they should now be able to access the Internet through the router’s NAT implementation.

In order to allow external clients to access the web server on our internal private network, we’ll create a mapping that tells NAT to forward all requests to address port 80 to the internal address, port 80. This is accomplished using the command shown below.

Router(config)#ip nat inside source static tcp 80 80

Once implemented, NAT statistics can be viewed using the show ip nat statistics command, while address translations can be viewed using show ip nat translations.

NAT Inbound Mapping

While NAT is most commonly looked at as a way to allow internal clients to gain access to the Internet, it can also be used to allow external Internet hosts to gain access to resources on a private network. Recall that by default, a NAT server will drop all packets that are not replies to requests that were originated from the internal private network. However, it is also possible that your company has servers on its internal privately addressed network that need to be accessible from the Internet – both mail and web servers are good examples. In order to accomplish this, companies will most commonly use what is known as an inbound static mapping. This technique takes requests that are made to a certain ports on the external public interface of the NAT router, and statically maps them to an address and port number on the private network. If multiple public IP addresses are available, individual public addresses can be mapped to internal private addresses on a one-to-one basis.

Imagine that a company wishes to host its web server internally. In order for Internet clients to access our server, it will need to be accessible using a public IP address. In this example, the web server has a private address,, and is waiting for connections on the default HTTP port, TCP 80. This is illustrated in the figure below.

Figure: A web server hosted on the internal private network can be accessed from the Internet if an inbound static mapping is defined.

In order to allow Internet hosts to access the HTTP server, we will need to create an inbound static mapping. This will involve configuring NAT such that when it receives a request on the router’s public interface that is destined for TCP port 80, it will forward the request to the web server at, port 80. To the outside world, it appears as though our web server can be found at the public address. In reality, these requests are being translated by NAT and forwarded to the designated address and port on the internal network. This allows us to host services on the internal network, without external clients being any the wiser as to the true location of a server.

NAT Overloading Port Address Translation (PAT)

Overloading is a very popular NAT technique, and is sometimes referred to as Port Address Translation (PAT). Instead of requiring multiple public IP addresses, overloading instead uses a single (or small number) of public address, and differentiates between sessions according to port number. When a client on the internal network wishes to access the Internet, it forwards the request to its configured gateway, the router running NAT. The router will translate the source address and port number of the packet to use the router’s public IP address and the same port number (if not already in use by another client), and will forward the “new” packet to the destination host. NAT mappings are stored in the router’s NAT table, as shown in the table below.

Table: The router’s NAT table shows a session mappings from three different internal clients.

When host attempts to access the web server at address, the request is first passed to the NAT server, where the source address and port number are translated, and a mapping is added to the NAT table. To the external web server, the request appears to be coming from address, TCP port 4085. The web server will send its reply to this address and port number. Once received by the router, it will look in its NAT table, and discover that since the packet’s destination is address TCP port 4085, it should be forwarded to internal host, TCP port 4085. The process is illustrated step-by-step in the figure below.

Figure: The steps involved when an internal client forwards a request to the Internet through a NAT router.

The overloading technique is obviously a very efficient way to implement NAT, since it requires only a single public IP address at a minimum. With thousands of TCP and UDP port numbers available, the technique is capable of supporting many internal clients using private addressing.

Dynamic NAT

Dynamic NAT works slightly differently in that private and public addresses are not mapped on a one-to-one basis. Instead, a range of public IP addresses is configured on the NAT device, and private internal clients will be mapped to an available address as necessary. The NAT table is built dynamically, avoiding the need for mappings to be statically defined. The address translation function that occurs is similar to that with static NAT, with the obvious exception that address mappings may change.

Static NAT

A static NAT implementation is one in which each private internal IP address is mapped to unique public external IP address. This technique involves defining a static NAT table on the router that maps each internal private address to its external public counterpart. Consider the example illustrated in the figure below. It shows a small network consisting of five client systems, each configured with a private address in the range. The router is configured for NAT, and has five external public addresses. The NAT table shown in the example illustrates the mapping between the private and public addresses.

Figure: With static NAT, each internal private address that requires access to the Internet is mapped to a dedicated public IP address.

With static NAT, when client attempts to access an Internet resource, the request will be forwarded to its configured default gateway, When the router receives this packet, it will change the source address to, as per the information stored in the NAT table. When the destination web server receives the request, it considers it to have originated from This is also the address to which the subsequent reply will be sent. Once received by the router, it will check its NAT table, and will again translate the packet such that its destination address is changed to The packet will then be forwarded to the internal client.

Companies generally don’t implement static NAT for the purpose of allowing internal hosts to gain access to the Internet. It is simply too time consuming to build the NAT table, and companies often do not have an available public IP address for each and every internal host. Instead, static NAT is most often used in order to allow Internet hosts to gain access to internal servers. This will be discussed shortly.

Network Address Translation

In Chapter 5 we took a look at how companies have moved to using private IP addresses on their internal networks. The reason for this transition is twofold. Firstly, the rapid growth of the Internet has led to a serious reduction in the number of public addresses available in the IP version 4 address space. While this is being addressed by a new version of IP (IPv6), the wide-scale deployment of IPv6 is likely to take many years to occur. The second reason for the increased use of private addresses is the benefit that they provide from a security and administration point of view. Not only do they allow administrators more flexibility in terms of addressing, these addresses are not routable on the public Internet, providing an additional layer of security for internal systems. The private internal IP address ranges specified in RFC 1918 include:

In order for hosts using private addresses to access the Internet, they require an intermediary device to process their requests. This is usually accomplished through the use of Network Address Translation (NAT), where requests from internal clients for resources on the public Internet are “translated”, such that they appear to have been initiated from a valid public Internet address.

Consider the example network illustrated in the figure below. A company has a small private network with hosts addressed in a private range – The router in the illustration is acting as a NAT device, and has one public IP address configured on its S0 interface. When internal hosts make a request for Internet resources, these requests are sent to the router, which is configured as the clients’ default gateway. The router, seeing that the request is for an external Internet address, will “translate” the packet, such that the source address and port number are changed to the public address associated with its S0 interface. The router will store a mapping in its NAT table that keeps track of which client initiated the request, so that the subsequent reply can be forwarded to the correct host.

Figure: Internal clients with private addresses gain access to the Internet through the NAT-enabled router.

Before looking at the different ways in which NAT can be implemented on a network, we should first look at what it is that we want to accomplish with NAT. For example, is our goal only to allow internal clients to access the public Internet, or do we also want to allow Internet systems to be able to gain access to certain internal servers? By default, NAT will act as a type of firewall, blocking all requests that do not originate from the internal private network. This allows internal clients to access Internet resources, but stops Internet clients from accessing our internal LAN. In cases where you have a server on your private network that must be accessible from the Internet (such as a web or mail server), NAT must be explicitly configured to forward these requests. If not, all requests that originate from the public Internet will be dropped.

There are a number of different ways in which NAT can be configured. The three most popular NAT implementation techniques are static NAT, dynamic NAT, and what is known as overloading. These techniques can be used individually, or in combination with one another.

Network Address Translation (NAT) Quick Start Guide

One topic that seems to cause users a great deal of anguish is the configuration of Network Address Translation (NAT) for the purpose of providing shared Internet access on private network. This guide is meant as a quick reference for those who need to implement NAT on networks, especially small networks that include Active Directory.

For all intents and purposes, the most simple way to provide your internal network with shared access of a broadband (or for that matter dial-up or ISDN) Internet connection is the Internet Connection Sharing (ICS) feature of Windows 2000. However, ICS also imposes a number of limitations that make it a poor choice for environments that include Active Directory. For example, when the external connection (the one to which a public IP address is assigned) is shared, it will automatically give the internal adapter an IP address of On top of this, ICS automatically configures itself as a mini-DHCP server, allocating addresses to internal clients in the range. Finally, ICS also works as a DNS proxy, expecting that your clients will use the ICS system as the destination for all DNS-related queries to the public Internet.

While this may work fine for small LANs, ICS makes life complicated on networks that already have an IP addressing structure in place (either through the use of static addresses or a via a separate DHCP server), as well as those running Active Directory (and by extension, DNS). In cases where you don’t want to undo your current IP addressing, and want a more robust Internet sharing solution, Windows 2000 NAT is the answer.

In this quick guide, I assume that the server on which you want to configure NAT is running Windows 2000 Server at a minimum, and has two network cards installed – one connected to your external network (using a DSL or cable connection, for example), and one connected to your internal LAN. NAT can also work with dial-on-demand modem or ISDN connections, but that’s another topic, for another time.

Network Address Translation (NAT)

Windows 2000 Server also includes another solution similar to ICS but more robust, in the form of the Network Address Translation protocol in Routing and Remote Access. While it basically consists of the same functional elements as ICS (and works in a very similar manner), NAT has some additional features that may make it a better fit than ICS in some environments.

The idea behind NAT is pretty straightforward. The system requires at least one external public IP address, from which all requests for external resources by clients on the internal network are made. This single IP address appears to be the one originating all requests to other servers on the Internet. In reality, the NAT server is making the requests for internal clients and keeping track of things by holding a table in memory that maps the internal request to an external request. The NAT server maps the port number that the external request was made on to the internal system that made the request (both the internal IP and port number used by the internal client). When the NAT server receives the appropriate response to its request, it looks at the table, sees which port number the reply is coming in on, and forwards the reply to the correct internal client. This setup allows many many computers to easily access the Internet off of only a single external IP address.

Obviously you will need to configure your Windows 2000 Server’s Routing and Remote Access tool to support NAT. This is accomplished by choosing to add a new routing protocol from within the tool.

Once added, NAT is configured by accessing its properties. One of the main benefits of NAT is that you can choose whether or not you wish for the services to act as a DHCP server for internal clients. This would allow you to continue using an already established DHCP server to hand out addresses, or use the functionality of NAT to do so. It will also allow NAT to be used as a standard address translation service, perhaps translating between internal public and external public ranges if such an addressing scheme is already in use, or simply to connect two different networks together while gradually moving towards an entirely new addressing scheme. For example, if two companies merged, they might be using incompatible ranges of addresses, with immediate connectivity being a priority. The screenshot below outlines the DHCP functionality that can be configured if required, including exclusions if necessary. Note that by default the private range will be used, unless otherwise specified.

NAT would allow this as an interim solution prior to the reconfiguration of the entire network. Another feature within NAT is the ability to continue to handles DNS resolution requests if required via a DNS proxy function (where the internal clients again forward DNS resolution requests to the NAT server). Note that this ability is turned off by default (as is the address assignment function), but can be configured as required, even for demand-dial connections.

Much like ICS, NAT can also be configured to allow external requests to a certain port to be mapped to an internal server, such that a web server or otherwise could be hosted behind the NAT server, on the internal network.

Internet Connection Sharing

A service first provided by Microsoft in its Windows 98 operating system, Internet Connection sharing is meant to allow a single Internet connection to be shared amongst multiple computers on a small network with minimal configuration. In Windows 2000, ICS is implemented via the actual sharing of a network interface, which has a ‘real’ IP address, either via a dial-up or fixed network connection. It is important to remember that ICS (which is available in both Windows 2000 Professional and Server) is mainly meant as a solution for small and home offices, and not larger enterprise environments.

How ICS actually works is quite simple. The machine on which ICS is configured is actually acting as a Network Address Translation (NAT) server. In a nutshell, Network Address Translation is usually used to translate between two connected ranges of IP addresses, usually one that is using a public IP address, and the other which is using a private address range. The ‘external’ interface has a real IP address, and the internal interface is given the private address The system also acts as a sort of mini DHCP server, handing out IP addresses in the range to clients on the internal network. To that end, clients use the addresses received, pointing to the interface as their default gateway. The ICS system also does a DNS proxy function, meaning that all client hostname resolution requests will be forwarded to the ICS system for resolution via the configured external DNS parameters.

The actual configuration of ICS couldn’t possibly be simpler. The key is to remember that you will require at least two interfaces on the ICS box. This might be accomplished using two network cards, or perhaps a network card and a dial-up connection such as one made via an ISDN adapter or analog modem. Remember the connection that you wish to ‘share’ is the one that will have the external IP address. If this is your modem, go into the properties of the connection object that you have created to connect to your ISP and share it as I have outlined below. If it were a second network card, you would access the Sharing tab of the appropriate Local Area Connection, and configure that instead.

Note the properties in the screen above. Enabling ICS is as simple as checking a checkbox, but you also have to decide whether or not you wish to enable on-demand dialing, which basically would enable the connection should a client on the external network make a request to an Internet-based resource. What you choose here would depend on the level of control that you wish to have over the Internet connection.

By default, ICS is configured such that all requests made to the external interface for resources inside your network are denied by default. This helps to protect your network from outside users. However, in many cases companies might be hosting FTP or Website internally, which they wish the outside world to be able to access. For these cases, you can configure options in the Settings area.

These setting can include standard services such as those shown above (FTP, SMTP, etc), or can include custom applications that you can define on the applications tab. Note that these will allow you to specify an external port that will ‘listen’ for requests on the external interface, and then forward them to the appropriate internal address that you specify.

Possibly the single most important thing to remember when running ICS is that all other internal DHCP servers must be removed, since ICS will be handling the DHCP server functionality on the network. Having other DHCP servers present may lead to conflicts.

Internet Connection Sharing (ICS)

Internet Connection Sharing (ICS) is a feature in Windows 2000 very similar to the same feature found in the second edition of Windows 98. With ICS, you can share a remote network connection from one machine with other machines on your single-subnet network. Essentially, ICS configures your Windows 2000 system as a Network Address Translation (NAT) server, translating private internal IP addresses to the public IP address provided by your ISP. Although this technology is usually used for sharing a Internet connection, it could also be used to share a connection to a private network. ICS is set up from the Sharing tab of the properties of a connection object.

A few important notes on ICS:

  • Ensure that the connection that is shared is the external connection (this would be your modem connection, or your second NIC connected to your DSL or Cable provider). You internal connection will automatically be reconfigured to support the range of addresses handed out by ICS.
  • Only an administrator can set up ICS.
  • You must have at least 2 connections on the system for it to work (for example, 1 NIC and a dial-up connection to your ISP)
  • ICS turns your machine into a mini-DHCP server, and will hand out addresses to your internal clients (who should be set to use DHCP).
  • You should not use ICS on a network containing existing DHCP servers (ICS does this), DNS servers (ICS proxies DNS requests), Windows 2000 domain controllers, or gateways (the gateway provided by ICS DHCP will be the ICS system internal interface). If you have these and need to continue using them, you will need to look at a server solution, such as NAT, found in Windows 2000 server Routing and Remote Access (RRAS).
  • ICS is simply a home and small office single-subnet connection sharing solution.