Network address translation design considerations

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Network address translation design considerations

To prevent problems, you should consider the following design issues before you implement network address translation.

Private network addressing

You should use the following IP addresses from the Internet Assigned Numbers Authority (IANA) private IP network IDs: 10.0.0.0 with a subnet mask of 255.0.0.0, 172.16.0.0 with a subnet mask of 255.240.0.0, and 192.168.0.0 with a subnet mask of 255.255.0.0. By default, network address translation uses the private network ID 192.168.0.0 with the subnet mask of 255.255.255.0 for the private network.

For more information, see Enable network address translation addressing.

If you are using public IP addresses that have not been allocated by IANA or your ISP, then you may be using the IP network ID of another organization on the Internet. This is known as illegal or overlapping IP addressing. If you are using overlapping public addresses, then you cannot reach the Internet resources of the overlapping addresses. For example, if you use 1.0.0.0 with the subnet mask of 255.0.0.0, then you cannot reach any Internet resources of the organization that is using the 1.0.0.0 network.

You can also exclude specific IP addresses from the configured range. Excluded addresses are not allocated to private network hosts.

Single or multiple public addresses

If you are using a single public IP address allocated by your ISP, no other IP address configuration is necessary. If you are using multiple IP addresses allocated by your ISP, then you must configure the network address translation (NAT) interface with your range of public IP addresses. For the range of IP addresses given to you by your ISP, you must determine whether the range of public IP addresses can be expressed by using an IP address and a mask.

If you are allocated a number of addresses that is a power of 2 (2, 4, 8, 16, and so on), you might be able to express the range by using a single IP address and mask. For example, if you are given the four public IP addresses 206.73.118.212, 206.73.118.213, 206.73.118.214, and 206.73.118.215 by your ISP, then you can express these four addresses as 206.73.118.212 with a mask of 255.255.255.252.

If your IP addresses are not expressible as an IP address and a subnet mask, you can enter them as a range or series of ranges by indicating the starting and ending IP addresses.

For more information, see Configure interface IP address ranges.

Allowing inbound connections

Normal NAT usage from a home or small business allows outbound connections from the private network to the public network. Some programs that run from the private network create connections to Internet resources. The return traffic from the Internet can be translated because the connection was initiated from the private network.

To allow Internet users to access resources on your private network, you must do the following:

  • Configure a static IP address configuration on the resource server including IP address (from the range of IP addresses allocated by the NAT computer), subnet mask (from the range of IP addresses allocated by the NAT computer), default gateway (the private IP address of the NAT computer), and DNS server (the private IP address of the NAT computer).

  • Exclude the IP address being used by the resource computer from the range of IP addresses being allocated by the NAT computer.

  • Configure a special port. A special port is a static mapping of a public address and port number to a private address and port number. A special port maps an inbound connection from an Internet user to a specific address on your private network. By using a special port, you can create a Web server on your private network that is accessible from the Internet.

For more information, see Configure services and ports.

Configuring applications and services

You may need to configure applications and services to work properly across the Internet. For example, if users on your small office or home office (SOHO) network want to play the game Asheron's Call with other users on the Internet, network address translation must be configured for Asheron's Call.

For more information, see Configure services and ports.

VPN connections from a translated SOHO network

To access a private intranet using a virtual private network (VPN) connection from a translated SOHO network, you can use the Point-to-Point Tunneling Protocol (PPTP) and create a VPN connection from a host on the SOHO network to the VPN server of the private intranet on the Internet.

The Windows Server 2003 family allows L2TP/IPSec VPN connections to work with NAT. For more information, see Virtual Private Networks.