Network Address Translation

Applies To: Windows 7, Windows Server 2008 R2

Network address translation (NAT) provides a method for translating the Internet Protocol version 4 (IPv4) addresses of computers on one network into IPv4 addresses of computers on a different network. A NAT-enabled IP router deployed at the boundary where a private network, such as a corporate network, meets a public network, such as the Internet, allows computers on the private network to access computers on the public network by providing this translation service.

NAT technology was developed to provide a temporary solution to the IPv4 address-depletion problem. The number of available globally unique (public) IPv4 addresses is far too few to accommodate the rapidly increasing number of computers that need access to the Internet. The long-term solution, Internet Protocol version 6 (IPv6), is not yet widely adopted. NAT technology lets computers on any network use reusable private addresses to connect to computers with globally unique public addresses on the Internet.

RRAS supports a NAT solution by allowing the optional configuration of a routing protocol component that provides network address translation. Computers on a private network can access a public network by means of a NAT-enabled router that runs RRAS. All traffic leaving, or entering, the private network must travel by way of the NAT-enabled router.

NAT consists of the following components:

  • Translation. The RRAS server on which NAT is enabled translates the IP addresses and TCP/UDP port numbers of packets that are forwarded between the private network and the Internet.

  • Addressing. The NAT computer provides IP address configuration information to the other computers on the home network. The addressing component is a simplified DHCP server that allocates an IP address, a subnet mask, a default gateway, and the IP address of a DNS server. You must configure computers on the home network as DHCP clients in order to receive the IP configuration automatically.

  • Name resolution. The NAT computer becomes the DNS server for the other computers on the home network. When the NAT computer receives name resolution requests, it forwards them to the Internet-based DNS server for which it is configured and returns the responses to the home network computer.

Internet private addresses

NAT makes the use of private, reusable network addresses possible. Internet Assigned Numbers Authority (IANA) has provided for an address reuse scheme by reserving network IDs for private networks. The private network IDs include:

  • with the subnet mask

  • with the subnet mask

  • with the subnet mask

For more information about portions of the IP address space that are reserved for private intranets, see RFC 1918, "Address Allocation for Private Internets." All addresses in these ranges are known as private addresses.

Private addresses cannot directly receive traffic from Internet locations. Therefore, if an intranet is using private addresses and communicating with Internet locations, the private address must be translated to a public address. A network address translator is placed between an intranet that uses private addresses and the Internet, which uses public addresses. Outgoing packets from the intranet have their private addresses translated by NAT into public addresses. Incoming packets from the Internet have their public addresses translated by NAT into private addresses.

Additional considerations

Because NAT includes addressing and name resolution components that provide DHCP and DNS services for hosts on the private network, you cannot run the following on an RRAS server:

  • The DHCP service or the DHCP Relay Agent if NAT addressing is enabled.

  • The DNS service if NAT TCP/IP networking name resolution is enabled.

Additional references