67
Module 6: NAT As a Solution for Internet Connectivity
| Date post: | 23-Dec-2015 |
| Category: |
Documents |
| Upload: | margery-wilson |
| View: | 220 times |
| Download: | 1 times |
Module 6: NAT As a Solution for Internet
Connectivity
When an organization decides to connect to the Internet, a primary consideration is how to provide Internet access for users on the private network while protecting private network resources. In Microsoft® Windows® 2000, the Network Address Translation (NAT) protocol that is provided by Routing and Remote Access provides a solution for Internet connectivity, and protects the resources of private networks.
NAT is an appropriate solution for Internet connectivity requirements for organizations that have limited security requirements and a relatively small number of users within each location.
At the end of this module, you will be able to:
Evaluate NAT as a solution for Internet connectivity.
Evaluate and create a functional design for baseline Internet connectivity.
Select appropriate strategies to secure a NAT Internet connectivity solution.
Select appropriate strategies to enhance Internet connection availability and improve Internet connectivity performance.
Note: Throughout the remainder of the module, NAT is used to describe the NAT protocol in Windows 2000.
Overview
Introducing NAT
Designing a Functional NAT Solution
Securing a NAT Solution
Enhancing a NAT Design for Availability and Performance
Introducing NAT
Design Decisions for a NAT Solution
Features of NAT
NAT connects private networks to the Internet while also protecting the private network resources. To design a strategy for providing Internet connectivity by using NAT, you must:
Establish the design requirements for a NAT solution.
Identify how the features provided by NAT support the Internet connectivity design requirements.
Design Decisions for a NAT Solution
Same Security Requirements for All Users
Nonrouted Private Network
Required Private Addressing
Internet
NAT
You must base your decision to use NAT as an Internet connectivity solution on the size of the private network and the security requirements of the organization. NAT is an appropriate solution for Internet connectivity when:
Internet access and access to the private network is not restricted on a user-by-user basis.
The private network consists of any number of users in a private address (RFC 1918) environment.
The organization requires private addressing for the computers on the private network.
Features of NAT
Translate Public and Private Addresses
Supply IP Configuration to Clients
Forward Name Resolution Requests
Protect Private Network Resources
Integrate into Existing Networks
Features of NAT
To ensure an effective Internet connectivity solution, you need to understand how the features of NAT support the organization's connectivity requirements. NAT is one of the protocols supported by Routing and Remote Access in Windows 2000; therefore, to use NAT, you must include Routing and Remote Access in your solution.
Translate Public and Private Addresses
The network address translation feature of NAT secures the private network by hiding the private network addresses from Internet-based users. Network address translation allows one or more public addresses to be translated to the private Internet Protocol (IP) addressing scheme within the private network. Network address translation is inherent in NAT and necessitates the use of private addressing.
Note: For situations where a public address exists for each computer on the private network, you can use IP routing as provided in Routing and Remote Access.
Supply IP Configuration to Clients
The automatic IP address assignment feature of NAT supplies the IP configuration to client computers on the private network. This feature of NAT eliminates the requirement for a separate DHCP server. You can use automatic IP address assignment to configure any DHCP-compatible client.
Forward Name Resolution Requests
The name resolution feature of NAT uses DNS proxies to forward requests for name resolution. The NAT server sends client requests to the appropriate DNS servers on the private network, or across the Internet.
Protect Private Network Resources
NAT protects private network resources from Internet-based users by enabling communications with a specific port on a specific private network IP address. To provide this protection, NAT uses address pools and special ports. The NAT server forwards requests from Internet-based users to the computers on the private network that manage the resource.
Integrate into Existing Networks
When you integrate NAT into existing networks, consider that NAT:
Supports automatic IP configuration of client computers that use DHCP for configuration.
Provides IP configuration. You must ensure that DHCP servers do not provide IP configuration for the private network.
Supports only the IP protocol, not any other routable protocols such as Internetwork Package Exchange/Sequenced Packet Exchange (IPX/SPX).
Cannot perform address translation on certain protocols.
The following is a list of protocols that are not supported by NAT:
Simple Network Management Protocol (SNMP) Lightweight Directory Access Protocol (LDAP) Component Object Model (COM) or Distributed Component Object Model
(DCOM)Many applications may use DCOM to communicate between clients and servers in a multi-tier solution.
Kerberos Version 5The Active Directory™ directory service uses Kerberos V5 protocol, so domain controllers cannot replicate through NAT.
Microsoft Remote Procedure Call (RPC)Many of the Microsoft Management Console (MMC) snap-ins use RPC to communicate between the client and the server.
Internet Protocol Security (IPSec) packets that use IP header encryption Note: For any applications that require the protocols not supported by NAT,
use Microsoft Proxy Server 2.0 as the Internet connectivity solution.
Designing a Functional NAT Solution
Integrating NAT into the Existing Network
Selecting NAT Server Options
Discussion: Designing NAT Solutions
Your design decisions establish the essential aspects of your NAT solution and provide the foundation for your Internet connectivity design. You make these decisions by:
Determining the placement of the NAT server and the IP address, type of persistence, and data rate of the NAT server interface.
Selecting the appropriate automatic IP address assignment and DNS name resolution feature options.
Integrating NAT into the Existing Network
NAT Server Placement on the Private Network
Interface Address and Subnet Mask Selection
Interface Data Rate and Persistence Selection
Private Network
Internet
NAT
LAN Interface
Demand-Dial Interface
Integrating NAT into the Existing Network
The NAT server in your network design must have at least two interfaces: one interface that connects to the Internet and one interface that connects to the private network. For each NAT server interface, you must describe the interface characteristics so that you can integrate the NAT server into the existing network.
NAT Server Placement on the Private Network
You need to place the NAT server between the network segments to localize network traffic and maintain security. The NAT server provided by Windows 2000 is appropriate for connecting the private network to public networks.
You must place the NAT server within the private network to:
Isolate the network traffic to the source, destination, and intermediary network segments.
Create a screened subnet within the private network, thereby protecting confidential data.
Exchange network packets between dissimilar network segments, such as between an Ethernet network segment and Integrated Services Digital Network (ISDN).
Select the Interface Address and Subnet Mask
When selecting the NAT server interface address and subnet mask, remember that:
Each NAT server interface requires an IP address and subnet mask.
The IP address assigned to the NAT interface must be within the range of addresses that is assigned to the network segment that is directly connected to the interface.
The subnet mask assigned to the NAT server interface must match the subnet mask that is assigned to the network segment that is directly connected to the interface.
Select the Interface Data Rate and Persistence
Each NAT server interface connects to a private or public network segment. These network segments can be persistent or non-persistent. In addition, the data rates for these network segments can vary considerably. You need to specify the data rate and persistence for each NAT server interface so that the NAT server can connect to private and public network segments.
Interfaces that connect to private network segments
Private network segments are based on local area network (LAN) technologies that are persistent interface connections. The data rate of the private network segment is determined by the LAN technology, such as 100 megabits per second (Mbps) data transfer rate for 100 Mbps Ethernet.
Interfaces that connect to public network segments
Public network segments are based on LAN and demand-dial technologies that can be persistent or non-persistent. Public network segments that appear to the NAT server as LAN interfaces are persistent, and the data rate is determined by the LAN technology.
Public network segments that appear as demand-dial interfaces are non-persistent, and the data rate is determined by the underlying technology. An example of this would be a 56 Kbps dial-up modem connection that supports a maximum data rate of 56 Kbps.
When the public network segments are based on LAN technologies, you can include demand-dial interfaces, such as a VPN connection over a digital subscriber line (DSL) connection. Include a demand-dial interface in your solution when: An exchange of credentials, such as VPN tunnel authentication, is
required to perform authentication. Charges, such as ISDN connection charges, are accumulated.
Selecting NAT Server Options
Automatic IP Address Assignment
DNS Name Resolution
InternetNameResolution
DNS Server
AutomaticAddressing
NAT
PrivateNetwork
In addition to providing network address translation, NAT provides automatic addressing and name resolution for private network clients. These NAT server options eliminate the need for additional Windows 2000-based servers to provide the same function.
Automatic IP Address Assignment
The automatic IP address assignment feature in NAT supplies IP configuration to any DHCP-compatible client on the private network. Include this feature in your solution when the:
Client computers on the private network use DHCP for IP configuration.
Private network consists of a single, nonrouted subnet. You must configure the NAT client computers on the
private network such that they automatically obtain their Transmission Control Protocol/Internet Protocol (TCP/IP) configuration. When the computers on the private network are started, the NAT server configures the TCP/IP options of the computers.
The following table lists the TCP/IP options and associated TCP/IP settings that are configured on the DHCP client computers.
This optionThis option Is set toIs set to
IP Address An IP address from the range of 192.168.0/24.
Subnet mask 255.255.255.0.
DNS server The IP address of the NAT private network interface, which is typically 192.168.0.1
You can also use Automatic Private IP Addressing (APIPA) in Windows 2000 and Microsoft Windows 98 to automatically configure computers on the private network. When you use APIPA, you must manually select the IP address of the private network interface for the NAT server from the range of APIPA addresses.
Note: If you enable the automatic IP addressing feature, ensure that DHCP servers do not provide IP configuration for the private network because the DHCP servers and the NAT server would both attempt to configure the computers.
DNS Name Resolution
The name resolution feature of NAT forwards DNS name resolution requests from clients on the private network to DNS servers across the Internet. Include this feature in your solution when:
Other private network servers do not provide DNS name resolution.
The private network consists of a single, nonrouted subnet.
EdinburghGlasgow
Dublin
London
Belfast
Birmingham
Bristol
Discussion: Designing NAT Solutions
As you create NAT designs, you need to translate information relating to the solution into design requirements.
The following scenario describes the current network configuration of a firm that represents electronic component manufacturers.
Scenario
A firm represents a number of electronic component manufacturers. The central sales office is located in London with regional representatives located throughout the United Kingdom. The regional representatives conduct business from their homes.
Each regional representative currently has one computer running Microsoft Windows 95 that uses a direct dial-up connection to a remote access server in the London central sales office to place orders. In addition, the representatives also connect to the Internet, through local Internet service providers (ISPs), so they can view product information from the electronic manufacturers they represent.
Securing a NAT Solution
Restricting Internet Traffic by Using IP Filters
Allowing Access with Address Pools and Special Ports
Enhancing NAT Security with VPN
The default security provided by NAT is adequate to protect private network resources that are not available to Internet users. For Internet connectivity solutions that require restricted access to Internet sites or to private network resources, you need to incorporate the security features provided by NAT. To enhance the security of a NAT solution, consider:
Specifying Routing and Remote Access filters.
Allowing access to private network resources by using address pools and special ports.
Enhancing NAT security with VPN connections.
Restricting Internet Traffic by Using IP Filters
Restrict by Using Routing and Remote Access IP Filters
Apply Filters to Internet or Private Network Interface
Filter all Traffic Based on IP Address and Protocol
PrivateNetwork Outgoing
NAT
CentralOffice
Internet
Incoming
NAT
NAT
PartnerNetwork
WebServer
To restrict access to the Internet or to the private network, you can specify unique Routing and Remote Access IP filters for each NAT interface. These filters are based on an incoming or outgoing IP address range and protocol. You can add multiple filters for each NAT interface to create a combination of filters that address any security requirements. Routing and Remote Access IP filters provide similar security to firewall filters.
You can specify Routing and Remote Access IP filters that restrict:
Internet-based user access to private network resources.
Private network user access to Internet-based resources, such as partner networks or central offices.
Restrict by Using Routing and Remote Access IP Filters
Routing and Remote Access filters restrict traffic at International Organization for Standardization (ISO) layer two and affect all IP traffic received by a NAT interface. These filters specify which IP packets are forwarded or rejected by the NAT interface.
Apply Filters to the Internet or Private Network Interface
You can apply Routing and Remote Access filters to the Internet or private NAT interface. The following table lists the interface types and describes the reasons for assigning a filter to each interface.
Create a filter on theCreate a filter on the To restrictTo restrict
Internet interface Private network user access toInternet-based resources.
Private network interface Internet-based user access to private network resources.
Packet Traffic Filters
You can create Routing and Remote Access Filters by specifying the source or destination IP address range, protocol type, or port number of the packets to be filtered. You can base your filter design upon any combination of the following:
Source IP address range.
Destination IP address range.
IP protocol number.
You can design the filters to either accept or reject packets that match any of the filters assigned to the NAT interface.
Allowing Access with Address Pools and Special Ports
Use the Default—All Computers Are Inaccessible
Reserve Addresses from the Address Pool
Define Special Port Mappings
Internet
RemoteUser
Special PortMapping
NATWebServer
PrivateNetwork
Allowing Access with Address Pools and Special Ports
You can allow access to specific computers and applications within the private network by reserving IP addresses from the NAT Interface address pool, or by creating special port mappings.
Use the Default—All Computers Are Inaccessible
By default, NAT discards any Internet-based requests to access computers located within the private network. As such, all computers on the private network are inaccessible from the Internet in a NAT solution. Choose the default configuration when users on the:
Private network require access to Internet sites.
Internet must not have access to any of the private network resource computers.
In situations where the default security provided by NAT is not appropriate, select the method for exposing private network resources to the Internet. You can select the method based on the number of public addresses available to the organization.
The following table describes the strategies for enabling access to private network resources.
When the design includesWhen the design includes Enable access to private network Enable access to private network resources byresources by
Multiple public IP addresses Reserving addresses from the address pool.
Single public IP address Defining special port mappings.
Reserve Addresses from the Address Pool
When the NAT solution includes multiple public IP addresses, you can place the addresses in an address pool to enable private network resource access. Address pools enable NAT to examine Internet-based requests and forward the requests to resources on a server within the private network.
You must obtain and reserve a public IP address in the NAT address pool for each resource server on the private network.
Note: Using address pools allows all IP ports on the resource server to be accessed. If the security specification of the design requires restricted IP port access, you can use Routing and Remote Access filters to restrict port access.
Define Special Port Mappings
When the NAT solution includes only one public IP address, you must define special port mappings within Routing and Remote Access to enable private network resource access. Special port mappings enable NAT to examine the IP address and port number of Internet-based requests. NAT then forwards the requests to a specific IP address and port number of a resource server within the private network. For each resource that you share with the Internet, you must define separate special port mappings in Routing and Remote Access.
Enhancing NAT Security with VPN
Supports PPTP Tunnels
Provides User Level Authentication
Supports Inbound and Outbound Connections
Internet
PartnerNetwork
VPNServer
NAT
RemoteUser
VPNServer Private
Network
VPNServers
CentralOffice
NAT
NAT does not provide security on a user-by-user basis. However, you can restrict access to resources by using VPN connections. VPNs authenticate users and encrypt data transferred across public networks.
For example, you can use VPN connections in a NAT solution to secure connections between:
Remote users that need to access private network resources.
Users on the private network and resources within partner organizations.
Users on the private network and resources at other locations within the organization.
Enhancing NAT Security with VPN
The following table lists solutions provided by VPN connections and describes how the solutions enhance the security of a NAT design.
VPN connections To
Support Point-to-Point Tunneling Protocol (PPTP) tunnels
Provide authentication and encryption for sensitive data.
Provide user level authentication
Secure access to remote resources over the Internet on a user-by-user basis.
Support inbound and outbound connections
Allow access to private network resources from users outside the local private network.
Allow access to resources outside the local private network.
Note: VPN tunnels that use Layer Two Tunneling Protocol (L2TP) are not supported because IPSec can encrypt the IP header and NAT cannot perform address translation.
Enhancing a NAT Design for Availability and Performance
Dedicate a Computer to NAT
Select Persistent Internet Connections
Provide Multiple Internet Connections
Private Network
Internet
NAT
LAN Interface
Demand-Dial Interface
You can enhance the availability and performance of NAT by dedicating a computer to NAT, selecting persistent Internet connections, or providing multiple Internet connections. Any of these strategies enhance availability and improve performance.
The following table describes how these strategies enhance availability and performance.
Use this strategy To enhance availability by To optimize performance by
Dedicating a computer to NAT
Preventing other applications that run on the same computer from becoming unstable, and ultimately requiring a restart of the computer.
Preventing other applications that run on the same computer from consuming system resources and impacting NAT performance.
Selecting persistent Internet connections
Preventing a lack of availability for dial-up connections, such as by busy signals.
Eliminating the time required to establish a nonpersistent connection.
Providing multiple Internet connections
Providing redundant connections to the Internet in the event one of the connections fails.
Distributing the traffic across the multiple connections to the Internet.
EdinburghGlasgow
Dublin
London
Belfast
Birmingham
Bristol
Discussion: Enhancing a NAT Solution
After you have provided a basic NAT solution, you need to examine the security, availability, and performance requirements for the solution.
The following scenario describes the requirements for enhancing the NAT solution of the firm that represents the electronic component manufacturers.
Scenario
During the deployment of the NAT solution for the firm that represents electronic component manufacturers, the firm decides to enhance the order entry and order tracking system. The enhancements allow customers to place orders and then track their orders by using a Web-based application over the Internet.
Each regional sales representative will run a copy of the Web-based application on the computer running Windows 2000. As customers place orders, the SQL Server 7.0 database located in the regional representative's home office and the SQL Server 7.0 database in the London central sales office are updated.
Lab A: Designing a NAT Solution
Objectives
After completing this lab, you will be able to:
Evaluate a scenario to determine the requirements that affect a NAT solution
Design a NAT solution to fulfill the requirements of the scenario.
Prerequisites
Before working on this lab, you must have:
Knowledge of the design decisions required in creating a NAT solution.
Knowledge of the design decisions that enhance the security, availability, and performance of a NAT solution.
Exercise 1: Designing a NAT Solution
In this exercise, you are presented with the task of creating a NAT solution for a public utility. This public utility plans to relocate the offices of its customer service agents. You will design a NAT solution that supports the public utility's requirements.
Review the scenario, diagrams, and design limitations and requirements and then answer the exercise questions.
Scenario
A public utility is relocating its customer service staff from offices within the public utility main office to home offices. The customer service agents answer billing and customer questions regarding the utility service.
The utility will provide Windows 2000-based computers to the customer service agents for use in their home offices. As the network architect for the public utility, you will create the design that allows the customer service agents to work from their home offices.
The current network configuration provides:
Support for a mission-critical, Web-based application that allows the customer service agents to manage customers and their billing information.
Support for a mission-critical, Web-based application that allows customers to make account payments and submit service requests over the Internet.
Support for all mission-critical applications to be available 24-hours-a-day, 7-days-a-week.
Internet connections installed in the home office, but not connected to the home office network.
Design Limitations and Requirements
Your assessment of the existing network configuration, and your investigation of the future configuration requirements, reveal the following design requirements that you must meet in your NAT solution:
Internet access from the central and home offices.
Isolation of the central and home offices from the Internet.
Connection for the home offices to the central office by using dedicated connections over the Internet.
Review
Introducing NAT
Designing a Functional NAT Solution
Securing a NAT Solution
Enhancing a NAT Design for Availability and Performance
