Module 6: NAT as a Solution for Internet Connectivity 3
Design Decisions for a NAT Solution
Same Security Requirements for All Users
Nonrouted Private Network
Required Private Addressing
Internet
NAT
You must base your decision to use NAT as an Internet connectivity solution on
the size of the private network and the security requirements of the
organization. NAT is an appropriate solution for Internet connectivity when:
Internet access and access to the private network is not restricted on a user-
by-user basis.
The private network consists of any number of users in a nonrouted
environment.
The organization requires private addressing for the computers on the
private network.
4 Module 6: NAT as a Solution for Internet Connectivity
Features of NAT
Translate Public and Private Addresses
Supply IP Configuration to Clients
Forward Name Resolution Requests
Protect Private Network Resources
Integrate into Existing Networks
To ensure an effective Internet connectivity solution, you need to understand
how the features of NAT support the organization’s connectivity requirements.
NAT is one of the protocols supported by Routing and Remote Access in
Windows 2000; therefore, to use NAT, you must include Routing and Remote
Access in your solution.
Translate Public and Private Addresses
The network address translation feature of NAT secures the private network by
hiding the private network addresses from Internet-based users. Network
address translation allows one or more public addresses to be translated to the
private Internet Protocol (IP) addressing scheme within the private network.
Network address translation is inherent in NAT and necessitates the use of
private addressing.
For situations where a public address exists for each computer on the
private network, you can use IP routing as provided in Routing and Remote
Access.
Supply IP Configuration to Clients
The automatic IP address assignment feature of NAT supplies the IP
configuration to client computers on the private network. This feature of NAT
eliminates the requirement for a separate DHCP server. You can use automatic
IP address assignment to configure any DHCP-compatible client.
Forward Name Resolution Requests
The name resolution feature of NAT uses DNS proxies to forward requests for
name resolution. The NAT server sends client requests to the appropriate DNS
servers on the private network, or across the Internet.
Note
Module 6: NAT as a Solution for Internet Connectivity 5
Protect Private Network Resources
NAT protects private network resources from Internet-based users by enabling
communications with a specific port on a specific private network IP address.
To provide this protection, NAT uses address pools and special ports. The
NAT server forwards requests from Internet-based users to the computers on
the private network that manage the resource.
Integrate into Existing Networks
When you integrate NAT into existing networks, consider that NAT:
Supports automatic IP configuration of client computers that use DHCP for
configuration.
Provides IP configuration. You must ensure that DHCP servers do not
provide IP configuration for the private network.
Supports only the IP protocol, not any other routable protocols such as
Internetwork Package Exchange/Sequenced Packet Exchange (IPX/SPX).
Cannot perform address translation on certain protocols.
The following is a list of protocols that are not supported by NAT:
• Simple Network Management Protocol (SNMP)
• Lightweight Directory Access Protocol (LDAP)
• Component Object Model (COM) or Distributed Component Object
Model (DCOM)
Many applications may use DCOM to communicate between clients and
servers in a multi-tier solution.
• Kerberos Version 5
The Active Directory
™
directory service uses Kerberos V5 protocol, so
domain controllers cannot replicate through NAT.
• Microsoft Remote Procedure Call (RPC)
Many of the Microsoft Management Console (MMC) snap-ins use RPC
to communicate between the client and the server.
• Internet Protocol Security (IPSec) packets that use IP header encryption
For any applications that require the protocols not supported by NAT,
use Microsoft Proxy Server 2.0 as the Internet connectivity solution.
Note
6 Module 6: NAT as a Solution for Internet Connectivity
Designing a Functional NAT Solution
Integrating NAT into the Existing Network
Selecting NAT Server Options
Discussion: Designing NAT Solutions
Your design decisions establish the essential aspects of your NAT solution and
provide the foundation for your Internet connectivity design. You make these
decisions by:
Determining the placement of the NAT server and the IP address, type of
persistence, and data rate of the NAT server interface.
Selecting the appropriate automatic IP address assignment and DNS name
resolution feature options.
Module 6: NAT as a Solution for Internet Connectivity 7
Integrating NAT into the Existing Network
NAT Server Placement on the Private Network
Interface Address and Subnet Mask Selection
Interface Data Rate and Persistence Selection
P
r
i
v
a
t
e
N
e
t
w
o
r
k
Internet
NAT
LAN Interface
Demand-Dial Interface
The NAT server in your network design must have at least two interfaces: one
interface that connects to the Internet and one interface that connects to the
private network. For each NAT server interface, you must describe the interface
characteristics so that you can integrate the NAT server into the existing
network.
NAT Server Placement on the Private Network
You need to place the NAT server between the network segments to localize
network traffic and maintain security. The NAT server provided by
Windows 2000 is appropriate for connecting the private network to public
networks.
You must place the NAT server within the private network to:
Isolate the network traffic to the source, destination, and intermediary
network segments.
Create a screened subnet within the private network, thereby protecting
confidential data.
Exchange network packets between dissimilar network segments, such as
between an Ethernet network segment and Integrated Services Digital
Network (ISDN).
8 Module 6: NAT as a Solution for Internet Connectivity
Select the Interface Address and Subnet Mask
When selecting the NAT server interface address and subnet mask, remember
that:
Each NAT server interface requires an IP address and subnet mask.
The IP address assigned to the NAT interface must be within the range of
addresses that is assigned to the network segment that is directly connected
to the interface.
The subnet mask assigned to the NAT server interface must match the
subnet mask that is assigned to the network segment that is directly
connected to the interface.
Select the Interface Data Rate and Persistence
Each NAT server interface connects to a private or public network segment.
These network segments can be persistent or non-persistent. In addition, the
data rates for these network segments can vary considerably. You need to
specify the data rate and persistence for each NAT server interface so that the
NAT server can connect to private and public network segments.
Interfaces that connect to private network segments
Private network segments are based on local area network (LAN) technologies
that are persistent interface connections. The data rate of the private network
segment is determined by the LAN technology, such as 100 megabits per
second (Mbps) data transfer rate for 100 Mbps Ethernet.
Interfaces that connect to public network segments
Public network segments are based on LAN and demand-dial technologies that
can be persistent or non-persistent. Public network segments that appear to the
NAT server as LAN interfaces are persistent, and the data rate is determined by
the LAN technology.
Public network segments that appear as demand-dial interfaces are non-
persistent, and the data rate is determined by the underlying technology. An
example of this would be a 56 Kbps dial-up modem connection that supports a
maximum data rate of 56 Kbps.
When the public network segments are based on LAN technologies, you can
include demand-dial interfaces, such as a VPN connection over a digital
subscriber line (DSL) connection. Include a demand-dial interface in your
solution when:
An exchange of credentials, such as VPN tunnel authentication, is required
to perform authentication.
Charges, such as ISDN connection charges, are accumulated.
Module 6: NAT as a Solution for Internet Connectivity 9
Selecting NAT Server Options
Automatic IP Address Assignment
DNS Name Resolution
Internet
Name
Resolution
DNS Server
Automatic
Addressing
NAT
Private
Network
In addition to providing network address translation, NAT provides automatic
addressing and name resolution for private network clients. These NAT server
options eliminate the need for additional Windows 2000–based servers to
provide the same function.
Automatic IP Address Assignment
The automatic IP address assignment feature in NAT supplies IP configuration
to any DHCP-compatible client on the private network. Include this feature in
your solution when the:
Client computers on the private network use DHCP for IP configuration.
Private network consists of a single, nonrouted subnet.
You must configure the NAT client computers on the private network such that
they automatically obtain their Transmission Control Protocol/Internet Protocol
(TCP/IP) configuration. When the computers on the private network are started,
the NAT server configures the TCP/IP options of the computers.
10 Module 6: NAT as a Solution for Internet Connectivity
The following table lists the TCP/IP options and associated TCP/IP settings that
are configured on the DHCP client computers.
This option Is set to
IP address An IP address from the range of 192.168.0/24.
Subnet mask 255.255.255.0.
DNS server The IP address of the NAT private network interface, which
is typically 192.168.0.1.
You can also use Automatic Private IP Addressing (APIPA) in Windows 2000
and Microsoft Windows 98 to automatically configure computers on the private
network. When you use APIPA, you must manually select the IP address of the
private network interface for the NAT server from the range of APIPA
addresses.
If you enable the automatic IP addressing feature, ensure that DHCP
servers do not provide IP configuration for the private network because the
DHCP servers and the NAT server would both attempt to configure the
computers.
DNS Name Resolution
The name resolution feature of NAT forwards DNS name resolution requests
from clients on the private network to DNS servers across the Internet. Include
this feature in your solution when:
Other private network servers do not provide DNS name resolution.
The private network consists of a single, nonrouted subnet.
Note
Module 6: NAT as a Solution for Internet Connectivity 11
Discussion: Designing NAT Solutions
Edinburgh
Glasgow
Dublin
London
Belfast
Birmingham
Bristol
As you create NAT designs, you need to translate information relating to the
solution into design requirements. This discussion involves the design of basic
NAT solutions. During the discussion, note any ideas presented by other
students in the class that are relevant to the NAT solution.
The following scenario describes the current network configuration of a firm
that represents electronic component manufacturers. Read the scenario and
answer the questions. Be prepared to discuss your answers with the class.
Scenario
A firm represents a number of electronic component manufacturers. The central
sales office is located in London with regional representatives located
throughout the United Kingdom. The regional representatives conduct business
from their homes.
Each regional representative currently has one computer running Microsoft
Windows 95 that uses a direct dial-up connection to a remote access server in
the London central sales office to place orders. In addition, the representatives
also connect to the Internet, through local Internet service providers (ISPs), so
they can view product information from the electronic manufacturers they
represent.
12 Module 6: NAT as a Solution for Internet Connectivity
Questions
1. The London central sales office is upgrading the order entry and tracking
order system to a Web-based solution that uses distributed Microsoft SQL
Server
™
version 7.0 databases. The new order system requires the regional
representatives to add an additional computer running Windows 2000
Advanced Server and SQL Server 7.0. The order entry system updates order
information over the Internet in real time, so a permanent Internet
connection is required. What solutions that use the NAT services in
Windows 2000 could you recommend to the company?
2. The director of sales for the firm is evaluating contact management software
for use by the regional representatives. The software would allow the
regional representatives to manage customer contact information, and allow
sales managers in the London central sales office to review activity on key
customer accounts. The repository for the contact information is a SQL
Server database in the London office. What impact would the selection of
the contact management software have on your design?
Không có nhận xét nào:
Đăng nhận xét