NAT Tools and Settings

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

In this section

  • NAT Tools

  • NAT Registry Entries

  • Related Information

You can use the network address translation (NAT) tools and registry settings described here to enable, configure, and manage Routing and Remote Access NAT on a computer running Windows Server 2003.

NAT Tools

The following tools are associated with the NAT routing protocol component provided by the Microsoft Windows Server 2003 Routing and Remote Access service:

  • Routing and Remote Access snap-in

  • Network Connections

  • Netsh command-line tools for Routing and Remote Access NAT

Graphical User Interface Tools

The graphical user interface tools used to install and configure Routing and Remote Access NAT include Network Connections, used to configure TCP/IP properties for NAT clients to provide the client computers access to the Internet, and the Routing and Remote Access snap-in, used to install and configure Routing and Remote Access NAT on a server.

Network Connections

Category

Network Connections is included with the versions of the Windows operating systems as described in the next paragraph, “Version compatibility.”

Version compatibility

You can run Network Connections on any computer running Windows Server 2003, Windows XP, Windows 2000, or Windows NT version 4.0. However, Windows NT 4.0 does not support Routing and Remote Access NAT.

Network Connections options for NAT clients

You use the Network Connections tool to configure TCP/IP properties for NAT clients so that the client computers can use a NAT-enabled router to gain access to the Internet (or other public network).

The properties page for TCP/IP on client computers can be used for a variety of purposes. The following table lists which TCP/IP options are used to enable NAT clients to interact with a NAT-enabled router on a private network.

TCP/IP Properties Options Used for a NAT Client

Page Tab Option

TCP/IP Properties

General

The following options on the adapter of the NAT client are used to enable the NAT client to access the NAT-enabled router:

  1. Under Use the following IP address, the values needed for following options are specific to a NAT client:

    • IP address. The private IPv4 address and subnet mask of the client.

    • Subnet mask. The private subnet mask of the client.

    • Default gateway. The private IPv4 address of the NAT-enabled router.

  2. Under Use the following DNS server addresses, the value needed for the following option is specific to a NAT client:

    Preferred DNS server. The private IPv4 address of the NAT-enabled router, which is acting as a DNS proxy.

TCP/IP Properties

Alternate Configuration

No NAT-related configuration is needed on this tab.

Advanced TCP/IP Settings

IP Settings

Default gateways. A gateway using the private address of the NAT-enabled router (if appropriate).

Caution: This option is appropriate to use only if the client computer receives its IP address from a DHCP server (that is, this option is not appropriate if the client obtains its IP address from the NAT DHCP allocator).

Routing and Remote Access Snap-in

Category

The Routing and Remote Access snap-in is used with the Routing and Remote Access service, which is included with Windows Server 2003 and Windows 2000 Server. Routing and Remote Access is disabled by default. You can use the Routing and Remote Access snap-in, under Administrative Tools, to enable and configure the Routing and Remote Access service, including the optional NAT routing protocol component.

Version compatibility

The Routing and Remote Access snap-in is provided by the Routing and Remote Access service on computers running Windows Server 2003 and Windows 2000 Server. For Windows NT 4.0, the Routing and Remote Access Service (RRAS) and its snap-in are available as a separate download from the Microsoft Windows NT Server Routing and Remote Access Service Download page at https://go.microsoft.com/fwlink/?LinkId=22441. However, Windows NT 4.0 RRAS does not include NAT.

The following sections briefly summarize NAT-related tasks for which you can use the Routing and Remote Access snap-in. (In addition to NAT, the Routing and Remote Access snap-in is also used to configure LAN routing, dial-up or VPN remote access connections, and site-to-site connections between geographically remote networks.)

  • Enabling NAT while running the Routing and Remote Access wizard

  • Enabling both VPN and NAT while running the Routing and Remote Access wizard

Enabling NAT while running the Routing and Remote Access Wizard

If the Routing and Remote Access service is not yet enabled on a computer running Windows Server 2003, you can enable NAT when you run the Routing and Remote Access Wizard by selecting the Network Address Translation (NAT) option. The wizard also lets you choose to enable the Basic Firewall feature.

Choosing Network Address Translation (NAT) when you run the wizard establishes the following:

  • Configures the IP address of the private network interface (the LAN card that connects to the private network segment).

  • Configures the public interface. If the connection is a non-permanent connection (such as a dial-up modem), the wizard creates a demand-dial interface to the ISP and creates a default static route that uses the Internet interface. (If the connection is permanent, such as DDS, T-Carrier, Frame Relay, permanent ISDN, xDSL, or cable modem, the wizard does not create a demand-dial interface or static route for the interface.)

  • Adds the NAT routing protocol component.

  • Adds Internet and private network interfaces to the NAT routing protocol component.

  • If you chose the option to enable Basic Firewall while running the wizard, the wizard configures a basic stateful firewall on the public interface connected to the Internet.

    Note

    • If the network already has a firewall and you do not select the Basic Firewall option while running the wizard, the Routing and Remote Access snap-in entry for the NAT routing protocol component (under IP Routing in the console tree) displays as NAT/Basic Firewall. The name “NAT/Basic Firewall” does not indicate whether Basic Firewall is configured.

    • You can confirm whether Basic Firewall is configured by using the NAT/Basic Firewall tab on the properties page of the public (Internet-connected) interface.

Enabling both VPN and NAT while running the Routing and Remote Access Wizard

If the Routing and Remote Access service is not yet enabled on a computer running Windows Server 2003, you can configure the server both to provide NAT for the private network and also to accept VPN connections. You can do so when you run the Routing and Remote Access Wizard by selecting the Virtual Private Network (VPN) access and NAT option when the wizard begins.

Choosing Virtual Private Network (VPN) access and NAT specifies that computers on the Internet cannot determine the IP addresses of any computer on the private network, yet allows VPN clients to connect to computers on the private network.

Routing and Remote Access snap-in options for NAT-enabled routers

If the Routing and Remote Access service is already enabled on a server, or if you installed NAT by using the Routing and Remote Access Wizard and want to modify the NAT configuration, you can use the tools provided by the Routing and Remote Access snap-in to enable and configure, or modify, Routing and Remote Access NAT.

The Routing and Remote Access snap-in can be used for a variety of purposes unrelated to Routing and Remote Access NAT. The following table lists which options under the General and NAT/Basic Firewall nodes in the Routing and Remote Access snap-in are used for NAT-related tasks and describes the location in the Routing and Remote Access snap-in used for each task.

NAT-related Options in the Routing and Remote Access Console Tree

Node Task

General

Adding network address translation:

  • Under the server name for the server to be configured as the NAT-enabled router, expand IP Routing, right-click General, select New Routing Protocol, and then choose NAT/Basic Firewall.

NAT/Basic Firewall

Adding and configuring public or private interfaces for the NAT routing protocol component:

  • Right-click NAT/Basic Firewall, and then click New Interface to add an internal interface to connect to the private network or to add a public interface to connect to the Internet.

    Note: You do not need to manually configure public or private interfaces for the NAT component if you used the Routing and Remote Access Setup wizard to configure NAT.

Viewing the NAT mapping table:

  • Click NAT/Basic Firewall, right-click the public interface in the details pane, and then click Show Mappings.

Viewing DHCP allocator information:

  • Right-click NAT/Basic Firewall, and then select Show DHCP Allocator Information to display the number of instances for each of the following:

    • Messages ignored

    • DECLINE messages received

    • DISCOVER messages received

    • INFORM messages received

    • RELEASE messages received

    • REQUEST messages received

    • ACK messages sent

    • BOOTP replies sent

    • NAK messages sent

    • OFFER messages sent

Viewing DNS proxy information:

  • Right-click NAT/Basic Firewall, and then select Show DNS Proxy Information to display the number of instances for each of the following:

    • Messages ignored

    • Queries received

    • Responses received

    • Queries sent

    • Responses sent

The following table describes how each tab on the NAT/Basic Firewall Properties page in the Routing and Remote Access snap-in is used for NAT-related tasks.

NAT-related Options on the NAT/Basic Firewall Properties Page

Tab Task

General

Specifying the level of errors and warnings to be logged in the System Log in Event Viewer:

  • Log errors only. Specifies that only errors are logged in the System Log in Event Viewer.

  • Log errors and messages. Specifies that both errors and warnings are logged in the System Log in Event Viewer.

  • Log the maximum amount of information. Specifies that the maximum amount of information is logged in the System Log in Event Viewer.

  • Disable event logging. Specifies that no events are logged in the System Log in Event Viewer.

Translation

Specifying the number of minutes that a dynamic mapping for a TCP session or for a UDP message remains in the NAT Mapping Table.

Address Assignment

Configuring the DHCP allocator feature:

  1. Specify whether the NAT-enabled router will provide DHCP-based address assignment to DHCP clients on the private network.

  2. Specify both the private address range and any exclusions; that is, specify any addresses within the specified range of addresses that should not be assigned to DHCP clients on the private network because they are already in use.

If multiple routed subnets are configured, you must use a DHCP server rather than the DHCP allocator.

Name Resolution

Configure the DNS proxy feature:

  1. Specify whether the NAT-enabled router relays DNS name resolution requests from hosts on the private network to the configured DNS server for the NAT-enabled router.

  2. Specify whether a connection is attempted by using the selected demand-dial interface when a DNS name resolution request is received by a host on the private network.

The following table describes how each tab on the properties page of the public (Internet-connected) interface in the details pane of the Routing and Remote Access snap-in is used for NAT-related tasks.

NAT-related Options on the Public Interface Properties Page

Tab Task

NAT/Basic Firewall

Configuring NAT:

  • Select Enable NAT on this interface to enable the router to send data to and receive data from the Internet over this interface.

Configuring Basic Firewall:

  • Select Enable a basic firewall on this interface to protect computers on the private network from unsolicited Internet traffic.

Configuring static packet filters:

  • Under Static packet filters, select Inbound Filters or Outbound Filters to establish inbound and outbound packet filters on the public interface to restrict traffic based on packet attributes such as IP address or protocol. For example, you can use this option to configure filters for PPTP or L2TP/IPSec VPN connections, as described in the Windows Server 2003 Deployment Guide section about “Configuring Packet Filters for a VPN Server” in Deploying a VPN Remote Access Server Solution.

Address Pool

Configuring one or more IP address ranges:

  • Select Add to configure an IP address pool on the public interface. You cannot configure an IP reservation until you configure at least one IP address pool.

Configuring an IP reservation to allow incoming traffic to a computer (such as a Web server) on the private network:

  • Under Reserve public addresses, click Reservations to configure an IP reservation by specifying a public IP address from one of the configured ranges. This ensures that the reserved address cannot be used for address translation.

Services and Ports

Configuring a static mapping for the services on your network to which you want to provide access for Internet users:

  • Select one of more from the list of services provided (such as FTP Server, Web Server (HTTP), or Remote Desktop).

    -or-

  • Click Add to configure a service that is not on the list to which you want to provide access for Internet users.

    Note: Configuring a service on this tab creates a static entry in the NAT Mapping Table and creates exceptions in the Basic Firewall that allow the specified incoming traffic.

ICMP

Configuring Internet Control Message Protocol (ICMP) options:

  • Select the requests for error and status information (ICMP messages) from the Internet to which this computer will respond.

The following table describes how the tab on the properties page of the Internal interface in the details pane of the Routing and Remote Access snap-in is used for NAT-related tasks.

NAT-related Options on the Internal Properties Page

Tab Task

NAT/Basic Firewall

Configuring static packet filters:

  • Under Static packet filters, select Inbound Filters or OutboundFilters to establish inbound and outbound packet filters on the private interface to restrict traffic based on packet attributes such as IP address or protocol

    Note: If the NAT/Basic Firewall component is enabled, the option Private interface connected to private network is selected on this tab by default and cannot be unselected.

Netsh Command-Line Tools for Routing and Remote Access NAT

Netsh provides several sets of commands (also known as contexts) for performing a wide range of network configuration tasks. The Netsh Routing IP NAT commandsprovide the Netsh context for Routing and Remote Access NAT.

Netsh.exe: Netsh Routing IP NAT Commands

Category

The Netsh Routing IP NAT commands, a subset of the Netsh command-line toolset, are included with the Windows Server 2003 operating system.

Version compatibility

The Netsh Routing IP NAT commands are compatible with Windows Server 2003. Netsh commands were first introduced in Windows 2000 Server and were expanded to include additional commands, including commands to manage NAT, in Windows Server 2003.

The Netsh commands are designed to help network administrators manage a TCP/IP network. You can use the Netsh command-line set of tools to locally or remotely display or modify the configuration of services or protocols on Windows–based computers. The Netsh command-line interface is scriptable, which lets you perform batch configurations or network administration from a centralized location. In addition to the Netsh Routing IP NAT commands that are designed specifically for Routing and Remote Access NAT, NAT also inherits commands from the Netsh Routing context and the Netsh Routing IP context.

The following table contains a brief description of the commands available in the Netsh Routing IP NAT context.

Commands Available in the Netsh Routing IP NAT Context

NAT Context Command Description

? or help

When typed at a netsh routing ip nat> prompt, either ? or help displays a complete list of all commands in the Netsh Routing IP NAT context, including all commands inherited from the global Netsh context as well as commands inherited from the Netsh Routing and Netsh Routing IP subcontexts.

When typed at a netsh routing ip nat> prompt, a command name followed by ? (such as show ?) displays information about that command.

add addressmapping

Adds an IP address mapping to the NAT address pool for the specified interface.

add addressrange

Adds an address range to the NAT address pool for the specified interface.

add ftp

Enables the NAT proxy for FTP (supports FTP traffic across a NAT).

add h323

Enables the NAT proxy for H.323 (supports NetMeeting calls across a NAT).

add interface

Configures NAT on the specified interface.

add portmapping

Adds a protocol port mapping for either the TCP or the UDP protocol type on the NAT interface.

delete addressmapping

Deletes an address mapping from the NAT address pool for the specified interface.

delete addressrange

Deletes an address range from the NAT address pool for the specified interface.

delete ftp

Disables the NAT proxy for FTP.

delete h323

Disables the NAT proxy for H323.

delete interface

Removes NAT from the specified interface.

delete portmapping

Deletes a protocol port mapping for either the TCP or the UDP protocol type from the specified NAT-enabled interface.

set global

Sets the following global parameters for NAT:

  • The timeout value, in minutes, for TCP mappings.

  • The timeout value, in minutes, for UDP mappings.

  • Which events should be logged. The none parameter specifies that no events related to NAT should be logged. The error parameter specifies that only errors related to NAT should be logged. The warn parameter specifies that only warnings related to NAT should be logged. The info parameter specifies that all events related to NAT should be logged.

set interface

Configures NAT parameters for the specified interface.

show global

Displays NAT global configuration. That is, it displays the current defaults for the following:

  • TCP timeout (in minutes)

  • UDP timeout (in minutes)

  • Logging level (such as errors only)

show interface

Displays NAT configuration for the specified interface.

For more information about Netsh, see “Command-Line Reference for Windows Server 2003, Standard Edition” in the Tools and Settings Collection.

NAT Registry Entries

The following registry entry, associated with Routing and Remote Access NAT, is the only registry entry that an administrator might want to modify by using the registry editor.

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

AllowInboundNonUnicastTraffic

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IpNat\Parameters\

Version

Windows Server 2003, Windows XP SP1, or later.

If Routing and Remote Access NAT has Basic Firewall configured, the firewall always accepts broadcast and multicast packets and passes them to the NAT component. However, on a computer running the Windows Server 2003, Windows XP SP1, or later operating system, the following registry key for NAT is set by default to drop all inbound broadcast and multicast packets. If you need to change this default behavior, add the following registry key and set it to 1. Setting the key to 1 allows broadcast and multicast packets to cross Basic Firewall:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IpNat\Parameters\AllowInboundNonUnicastTraffic

By default, AllowInboundNonUnicastTraffic is set to 0, which blocks inbound unicast traffic.

For more information about this registry entry, see the Registry Reference for Windows Server 2003.

The following resources contain additional information that is relevant to this section: