Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 6: NAT As a Solution for Internet Connectivity.

Published byMargery Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 6: NAT As a Solution for Internet Connectivity."— Presentation transcript:

1 Module 6: NAT As a Solution for Internet Connectivity

2 When an organization decides to connect to the Internet, a primary consideration is how to provide Internet access for users on the private network while protecting private network resources. In Microsoft® Windows® 2000, the Network Address Translation (NAT) protocol that is provided by Routing and Remote Access provides a solution for Internet connectivity, and protects the resources of private networks. NAT is an appropriate solution for Internet connectivity requirements for organizations that have limited security requirements and a relatively small number of users within each location.

3 At the end of this module, you will be able to: Evaluate NAT as a solution for Internet connectivity. Evaluate and create a functional design for baseline Internet connectivity. Select appropriate strategies to secure a NAT Internet connectivity solution. Select appropriate strategies to enhance Internet connection availability and improve Internet connectivity performance. Note: Throughout the remainder of the module, NAT is used to describe the NAT protocol in Windows 2000.

4 Overview Introducing NAT Designing a Functional NAT Solution Securing a NAT Solution Enhancing a NAT Design for Availability and Performance

5  Introducing NAT Design Decisions for a NAT Solution Features of NAT

6 NAT connects private networks to the Internet while also protecting the private network resources. To design a strategy for providing Internet connectivity by using NAT, you must: Establish the design requirements for a NAT solution. Identify how the features provided by NAT support the Internet connectivity design requirements.

7 Design Decisions for a NAT Solution Same Security Requirements for All Users Nonrouted Private Network Required Private Addressing Internet NAT

8 You must base your decision to use NAT as an Internet connectivity solution on the size of the private network and the security requirements of the organization. NAT is an appropriate solution for Internet connectivity when: Internet access and access to the private network is not restricted on a user-by-user basis. The private network consists of any number of users in a private address (RFC 1918) environment. The organization requires private addressing for the computers on the private network.

9 Features of NAT Translate Public and Private Addresses Supply IP Configuration to Clients Forward Name Resolution Requests Protect Private Network Resources Integrate into Existing Networks

10 Features of NAT To ensure an effective Internet connectivity solution, you need to understand how the features of NAT support the organization's connectivity requirements. NAT is one of the protocols supported by Routing and Remote Access in Windows 2000; therefore, to use NAT, you must include Routing and Remote Access in your solution.

11 Translate Public and Private Addresses The network address translation feature of NAT secures the private network by hiding the private network addresses from Internet-based users. Network address translation allows one or more public addresses to be translated to the private Internet Protocol (IP) addressing scheme within the private network. Network address translation is inherent in NAT and necessitates the use of private addressing. Note: For situations where a public address exists for each computer on the private network, you can use IP routing as provided in Routing and Remote Access.

12 Supply IP Configuration to Clients The automatic IP address assignment feature of NAT supplies the IP configuration to client computers on the private network. This feature of NAT eliminates the requirement for a separate DHCP server. You can use automatic IP address assignment to configure any DHCP-compatible client.

13 Forward Name Resolution Requests The name resolution feature of NAT uses DNS proxies to forward requests for name resolution. The NAT server sends client requests to the appropriate DNS servers on the private network, or across the Internet.

14 Protect Private Network Resources NAT protects private network resources from Internet- based users by enabling communications with a specific port on a specific private network IP address. To provide this protection, NAT uses address pools and special ports. The NAT server forwards requests from Internet-based users to the computers on the private network that manage the resource.

15 Integrate into Existing Networks When you integrate NAT into existing networks, consider that NAT: Supports automatic IP configuration of client computers that use DHCP for configuration. Provides IP configuration. You must ensure that DHCP servers do not provide IP configuration for the private network. Supports only the IP protocol, not any other routable protocols such as Internetwork Package Exchange/Sequenced Packet Exchange (IPX/SPX). Cannot perform address translation on certain protocols.

16 The following is a list of protocols that are not supported by NAT: Simple Network Management Protocol (SNMP) Lightweight Directory Access Protocol (LDAP) Component Object Model (COM) or Distributed Component Object Model (DCOM) Many applications may use DCOM to communicate between clients and servers in a multi-tier solution. Kerberos Version 5 The Active Directory™ directory service uses Kerberos V5 protocol, so domain controllers cannot replicate through NAT. Microsoft Remote Procedure Call (RPC) Many of the Microsoft Management Console (MMC) snap-ins use RPC to communicate between the client and the server. Internet Protocol Security (IPSec) packets that use IP header encryption Note: For any applications that require the protocols not supported by NAT, use Microsoft Proxy Server 2.0 as the Internet connectivity solution.

17  Designing a Functional NAT Solution Integrating NAT into the Existing Network Selecting NAT Server Options Discussion: Designing NAT Solutions

18 Your design decisions establish the essential aspects of your NAT solution and provide the foundation for your Internet connectivity design. You make these decisions by: Determining the placement of the NAT server and the IP address, type of persistence, and data rate of the NAT server interface. Selecting the appropriate automatic IP address assignment and DNS name resolution feature options.

19 Integrating NAT into the Existing Network NAT Server Placement on the Private Network Interface Address and Subnet Mask Selection Interface Data Rate and Persistence Selection Private Network Internet NAT LAN Interface Demand-Dial Interface

20 Integrating NAT into the Existing Network The NAT server in your network design must have at least two interfaces: one interface that connects to the Internet and one interface that connects to the private network. For each NAT server interface, you must describe the interface characteristics so that you can integrate the NAT server into the existing network.

21 NAT Server Placement on the Private Network You need to place the NAT server between the network segments to localize network traffic and maintain security. The NAT server provided by Windows 2000 is appropriate for connecting the private network to public networks. You must place the NAT server within the private network to: Isolate the network traffic to the source, destination, and intermediary network segments. Create a screened subnet within the private network, thereby protecting confidential data. Exchange network packets between dissimilar network segments, such as between an Ethernet network segment and Integrated Services Digital Network (ISDN).

22 Select the Interface Address and Subnet Mask When selecting the NAT server interface address and subnet mask, remember that: Each NAT server interface requires an IP address and subnet mask. The IP address assigned to the NAT interface must be within the range of addresses that is assigned to the network segment that is directly connected to the interface. The subnet mask assigned to the NAT server interface must match the subnet mask that is assigned to the network segment that is directly connected to the interface.

23 Select the Interface Data Rate and Persistence Each NAT server interface connects to a private or public network segment. These network segments can be persistent or non-persistent. In addition, the data rates for these network segments can vary considerably. You need to specify the data rate and persistence for each NAT server interface so that the NAT server can connect to private and public network segments.

24 Interfaces that connect to private network segments Private network segments are based on local area network (LAN) technologies that are persistent interface connections. The data rate of the private network segment is determined by the LAN technology, such as 100 megabits per second (Mbps) data transfer rate for 100 Mbps Ethernet.

25 Interfaces that connect to public network segments Public network segments are based on LAN and demand-dial technologies that can be persistent or non-persistent. Public network segments that appear to the NAT server as LAN interfaces are persistent, and the data rate is determined by the LAN technology. Public network segments that appear as demand-dial interfaces are non-persistent, and the data rate is determined by the underlying technology. An example of this would be a 56 Kbps dial-up modem connection that supports a maximum data rate of 56 Kbps. When the public network segments are based on LAN technologies, you can include demand-dial interfaces, such as a VPN connection over a digital subscriber line (DSL) connection. Include a demand- dial interface in your solution when: An exchange of credentials, such as VPN tunnel authentication, is required to perform authentication. Charges, such as ISDN connection charges, are accumulated.

26 Selecting NAT Server Options Automatic IP Address Assignment DNS Name Resolution Internet Name Resolution DNS Server Automatic Addressing NAT Private Network

27 In addition to providing network address translation, NAT provides automatic addressing and name resolution for private network clients. These NAT server options eliminate the need for additional Windows 2000- based servers to provide the same function.

28 Automatic IP Address Assignment The automatic IP address assignment feature in NAT supplies IP configuration to any DHCP-compatible client on the private network. Include this feature in your solution when the: Client computers on the private network use DHCP for IP configuration. Private network consists of a single, nonrouted subnet. You must configure the NAT client computers on the private network such that they automatically obtain their Transmission Control Protocol/Internet Protocol (TCP/IP) configuration. When the computers on the private network are started, the NAT server configures the TCP/IP options of the computers.

29 The following table lists the TCP/IP options and associated TCP/IP settings that are configured on the DHCP client computers. This option Is set to IP AddressAn IP address from the range of 192.168.0/24. Subnet mask255.255.255.0. DNS serverThe IP address of the NAT private network interface, which is typically 192.168.0.1

30 You can also use Automatic Private IP Addressing (APIPA) in Windows 2000 and Microsoft Windows 98 to automatically configure computers on the private network. When you use APIPA, you must manually select the IP address of the private network interface for the NAT server from the range of APIPA addresses. Note: If you enable the automatic IP addressing feature, ensure that DHCP servers do not provide IP configuration for the private network because the DHCP servers and the NAT server would both attempt to configure the computers.

31 DNS Name Resolution The name resolution feature of NAT forwards DNS name resolution requests from clients on the private network to DNS servers across the Internet. Include this feature in your solution when: Other private network servers do not provide DNS name resolution. The private network consists of a single, nonrouted subnet.

32 Edinburgh Glasgow Dublin London Belfast Birmingham Bristol Discussion: Designing NAT Solutions

33 As you create NAT designs, you need to translate information relating to the solution into design requirements. The following scenario describes the current network configuration of a firm that represents electronic component manufacturers.

34 Scenario A firm represents a number of electronic component manufacturers. The central sales office is located in London with regional representatives located throughout the United Kingdom. The regional representatives conduct business from their homes. Each regional representative currently has one computer running Microsoft Windows 95 that uses a direct dial-up connection to a remote access server in the London central sales office to place orders. In addition, the representatives also connect to the Internet, through local Internet service providers (ISPs), so they can view product information from the electronic manufacturers they represent.

35  Securing a NAT Solution Restricting Internet Traffic by Using IP Filters Allowing Access with Address Pools and Special Ports Enhancing NAT Security with VPN

36 The default security provided by NAT is adequate to protect private network resources that are not available to Internet users. For Internet connectivity solutions that require restricted access to Internet sites or to private network resources, you need to incorporate the security features provided by NAT. To enhance the security of a NAT solution, consider: Specifying Routing and Remote Access filters. Allowing access to private network resources by using address pools and special ports. Enhancing NAT security with VPN connections.

37 Restricting Internet Traffic by Using IP Filters Restrict by Using Routing and Remote Access IP Filters Apply Filters to Internet or Private Network Interface Filter all Traffic Based on IP Address and Protocol Private Network Outgoing NAT Central Office Internet Incoming NAT Partner Network Web Server

38 To restrict access to the Internet or to the private network, you can specify unique Routing and Remote Access IP filters for each NAT interface. These filters are based on an incoming or outgoing IP address range and protocol. You can add multiple filters for each NAT interface to create a combination of filters that address any security requirements. Routing and Remote Access IP filters provide similar security to firewall filters.

39 You can specify Routing and Remote Access IP filters that restrict: Internet-based user access to private network resources. Private network user access to Internet-based resources, such as partner networks or central offices.

40 Restrict by Using Routing and Remote Access IP Filters Routing and Remote Access filters restrict traffic at International Organization for Standardization (ISO) layer two and affect all IP traffic received by a NAT interface. These filters specify which IP packets are forwarded or rejected by the NAT interface.

41 Apply Filters to the Internet or Private Network Interface You can apply Routing and Remote Access filters to the Internet or private NAT interface. The following table lists the interface types and describes the reasons for assigning a filter to each interface. Create a filter on the To restrict Internet interfacePrivate network user access to Internet-based resources. Private network interface Internet-based user access to private network resources.

42 Packet Traffic Filters You can create Routing and Remote Access Filters by specifying the source or destination IP address range, protocol type, or port number of the packets to be filtered. You can base your filter design upon any combination of the following: Source IP address range. Destination IP address range. IP protocol number. You can design the filters to either accept or reject packets that match any of the filters assigned to the NAT interface.

43 Allowing Access with Address Pools and Special Ports Use the Default—All Computers Are Inaccessible Reserve Addresses from the Address Pool Define Special Port Mappings Internet Remote User Special Port Mapping NAT Web Server Private Network

44 Allowing Access with Address Pools and Special Ports You can allow access to specific computers and applications within the private network by reserving IP addresses from the NAT Interface address pool, or by creating special port mappings.

45 Use the Default—All Computers Are Inaccessible By default, NAT discards any Internet-based requests to access computers located within the private network. As such, all computers on the private network are inaccessible from the Internet in a NAT solution. Choose the default configuration when users on the: Private network require access to Internet sites. Internet must not have access to any of the private network resource computers.

46 In situations where the default security provided by NAT is not appropriate, select the method for exposing private network resources to the Internet. You can select the method based on the number of public addresses available to the organization. The following table describes the strategies for enabling access to private network resources. When the design includes Enable access to private network resources by Multiple public IP addressesReserving addresses from the address pool. Single public IP addressDefining special port mappings.

47 Reserve Addresses from the Address Pool When the NAT solution includes multiple public IP addresses, you can place the addresses in an address pool to enable private network resource access. Address pools enable NAT to examine Internet-based requests and forward the requests to resources on a server within the private network. You must obtain and reserve a public IP address in the NAT address pool for each resource server on the private network. Note: Using address pools allows all IP ports on the resource server to be accessed. If the security specification of the design requires restricted IP port access, you can use Routing and Remote Access filters to restrict port access.

48 Define Special Port Mappings When the NAT solution includes only one public IP address, you must define special port mappings within Routing and Remote Access to enable private network resource access. Special port mappings enable NAT to examine the IP address and port number of Internet- based requests. NAT then forwards the requests to a specific IP address and port number of a resource server within the private network. For each resource that you share with the Internet, you must define separate special port mappings in Routing and Remote Access.

49 Enhancing NAT Security with VPN Supports PPTP Tunnels Provides User Level Authentication Supports Inbound and Outbound Connections Internet Partner Network VPN Server NAT Remote User VPN Server Private Network VPN Servers Central Office NAT

50 NAT does not provide security on a user-by-user basis. However, you can restrict access to resources by using VPN connections. VPNs authenticate users and encrypt data transferred across public networks.

51 For example, you can use VPN connections in a NAT solution to secure connections between: Remote users that need to access private network resources. Users on the private network and resources within partner organizations. Users on the private network and resources at other locations within the organization.

52 Enhancing NAT Security with VPN The following table lists solutions provided by VPN connections and describes how the solutions enhance the security of a NAT design. VPN connectionsTo Support Point-to-Point Tunneling Protocol (PPTP) tunnels Provide authentication and encryption for sensitive data. Provide user level authentication Secure access to remote resources over the Internet on a user-by-user basis. Support inbound and outbound connections Allow access to private network resources from users outside the local private network. Allow access to resources outside the local private network.

53 Note: VPN tunnels that use Layer Two Tunneling Protocol (L2TP) are not supported because IPSec can encrypt the IP header and NAT cannot perform address translation.

54 Enhancing a NAT Design for Availability and Performance Dedicate a Computer to NAT Select Persistent Internet Connections Provide Multiple Internet Connections Private Network Internet NAT LAN Interface Demand-Dial Interface

55 You can enhance the availability and performance of NAT by dedicating a computer to NAT, selecting persistent Internet connections, or providing multiple Internet connections. Any of these strategies enhance availability and improve performance.

56 The following table describes how these strategies enhance availability and performance. Use this strategyTo enhance availability byTo optimize performance by Dedicating a computer to NAT Preventing other applications that run on the same computer from becoming unstable, and ultimately requiring a restart of the computer. Preventing other applications that run on the same computer from consuming system resources and impacting NAT performance. Selecting persistent Internet connections Preventing a lack of availability for dial-up connections, such as by busy signals. Eliminating the time required to establish a nonpersistent connection. Providing multiple Internet connections Providing redundant connections to the Internet in the event one of the connections fails. Distributing the traffic across the multiple connections to the Internet.

57 Edinburgh Glasgow Dublin London Belfast Birmingham Bristol Discussion: Enhancing a NAT Solution

58 After you have provided a basic NAT solution, you need to examine the security, availability, and performance requirements for the solution. The following scenario describes the requirements for enhancing the NAT solution of the firm that represents the electronic component manufacturers.

59 Scenario During the deployment of the NAT solution for the firm that represents electronic component manufacturers, the firm decides to enhance the order entry and order tracking system. The enhancements allow customers to place orders and then track their orders by using a Web- based application over the Internet. Each regional sales representative will run a copy of the Web-based application on the computer running Windows 2000. As customers place orders, the SQL Server 7.0 database located in the regional representative's home office and the SQL Server 7.0 database in the London central sales office are updated.

60 Lab A: Designing a NAT Solution

61 Objectives After completing this lab, you will be able to: Evaluate a scenario to determine the requirements that affect a NAT solution Design a NAT solution to fulfill the requirements of the scenario.

62 Prerequisites Before working on this lab, you must have: Knowledge of the design decisions required in creating a NAT solution. Knowledge of the design decisions that enhance the security, availability, and performance of a NAT solution.

63 Exercise 1: Designing a NAT Solution In this exercise, you are presented with the task of creating a NAT solution for a public utility. This public utility plans to relocate the offices of its customer service agents. You will design a NAT solution that supports the public utility's requirements. Review the scenario, diagrams, and design limitations and requirements and then answer the exercise questions.

64 Scenario A public utility is relocating its customer service staff from offices within the public utility main office to home offices. The customer service agents answer billing and customer questions regarding the utility service. The utility will provide Windows 2000-based computers to the customer service agents for use in their home offices. As the network architect for the public utility, you will create the design that allows the customer service agents to work from their home offices.

65 The current network configuration provides: Support for a mission-critical, Web-based application that allows the customer service agents to manage customers and their billing information. Support for a mission-critical, Web-based application that allows customers to make account payments and submit service requests over the Internet. Support for all mission-critical applications to be available 24-hours-a-day, 7-days-a-week. Internet connections installed in the home office, but not connected to the home office network.

66 Design Limitations and Requirements Your assessment of the existing network configuration, and your investigation of the future configuration requirements, reveal the following design requirements that you must meet in your NAT solution: Internet access from the central and home offices. Isolation of the central and home offices from the Internet. Connection for the home offices to the central office by using dedicated connections over the Internet.

67 Review Introducing NAT Designing a Functional NAT Solution Securing a NAT Solution Enhancing a NAT Design for Availability and Performance

Download ppt "Module 6: NAT As a Solution for Internet Connectivity."

Similar presentations

Module 12: Strategies for Combining Networking Services.

Module 12: Strategies for Combining Networking Services.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 1: Microsoft Windows 2000 Networking Services Infrastructure Overview.

Module 1: Microsoft Windows 2000 Networking Services Infrastructure Overview.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.

Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
Chapter 11: Dial-Up Connectivity in Remote Access Designs

Chapter 11: Dial-Up Connectivity in Remote Access Designs
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Similar presentations

Ads by Google