Network Address Translation (NAT)

Windows 2000 Server also includes another solution similar to ICS but more robust, in the form of the Network Address Translation protocol in Routing and Remote Access. While it basically consists of the same functional elements as ICS (and works in a very similar manner), NAT has some additional features that may make it a better fit than ICS in some environments.

The idea behind NAT is pretty straightforward. The system requires at least one external public IP address, from which all requests for external resources by clients on the internal network are made. This single IP address appears to be the one originating all requests to other servers on the Internet. In reality, the NAT server is making the requests for internal clients and keeping track of things by holding a table in memory that maps the internal request to an external request. The NAT server maps the port number that the external request was made on to the internal system that made the request (both the internal IP and port number used by the internal client). When the NAT server receives the appropriate response to its request, it looks at the table, sees which port number the reply is coming in on, and forwards the reply to the correct internal client. This setup allows many many computers to easily access the Internet off of only a single external IP address.

Obviously you will need to configure your Windows 2000 Server’s Routing and Remote Access tool to support NAT. This is accomplished by choosing to add a new routing protocol from within the tool.

Once added, NAT is configured by accessing its properties. One of the main benefits of NAT is that you can choose whether or not you wish for the services to act as a DHCP server for internal clients. This would allow you to continue using an already established DHCP server to hand out addresses, or use the functionality of NAT to do so. It will also allow NAT to be used as a standard address translation service, perhaps translating between internal public and external public ranges if such an addressing scheme is already in use, or simply to connect two different networks together while gradually moving towards an entirely new addressing scheme. For example, if two companies merged, they might be using incompatible ranges of addresses, with immediate connectivity being a priority. The screenshot below outlines the DHCP functionality that can be configured if required, including exclusions if necessary. Note that by default the private range will be used, unless otherwise specified.

NAT would allow this as an interim solution prior to the reconfiguration of the entire network. Another feature within NAT is the ability to continue to handles DNS resolution requests if required via a DNS proxy function (where the internal clients again forward DNS resolution requests to the NAT server). Note that this ability is turned off by default (as is the address assignment function), but can be configured as required, even for demand-dial connections.

Much like ICS, NAT can also be configured to allow external requests to a certain port to be mapped to an internal server, such that a web server or otherwise could be hosted behind the NAT server, on the internal network.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.