VPN and NAT Design

Applies To: Windows Server 2008, Windows Server 2008 R2

This design incorporates both VPN remote access for inbound connections to the organization’s network, and NAT for outbound connectivity to the Internet from the private address space used on the organization’s network. If additional services behind the NAT server, such as a web site, must be accessible from the Internet, then NAT supports mapping specific inbound port numbers to internal IP addresses.

Consider the following design issues before implementing network address translation (NAT) on an RRAS server.

Private network addressing

Private addresses are not routable to the public Internet. NAT uses a single public IP address (or a small number of them) to provide Internet access by mapping the private addresses to port numbers associated with the public address. The following address ranges are defined to be private:

  • 10.0.0.0/8 - 10.0.0.0 through 10.255.255.255 with a subnet mask of 255.0.0.0

  • 172.16.0.0/12 - 172.16.0.0 through 172.32.255.255 with a subnet mask of 255.240.0.0

  • 192.168.0.0/16 - 192.168.0.0 through 192.168.255.255 with a subnet mask of 255.255.0.0.

By default, most NAT devices use the private network ID 192.168.0.0 or 192.168.1.0 with a subnet mask of 255.255.255.0 for the private network.

Single or multiple public addresses

If you are using a single public IP address allocated by your ISP, no other IP address configuration is necessary. If you are using multiple IP addresses allocated by your ISP, then you must configure the NAT interface with your range of public IP addresses. For the range of IP addresses given to you by your ISP, you must determine whether the range of public IP addresses can be expressed by using an IP address with a subnet mask.

If you are allocated a number of addresses that is a power of 2 (2, 4, 8, 16, and so on), you might be able to express the range by using a single IP address and mask. For example, if you are given the four consecutive public IP addresses 206.73.118.212, 206.73.118.213, 206.73.118.214, and 206.73.118.215 by your ISP, then you can express these four addresses as 206.73.118.212 with a mask of 255.255.255.252.

If your IP addresses are not expressible as an IP address and a subnet mask, you can enter them as a range or series of ranges by indicating the starting and ending IP addresses.

Allowing inbound connections

Normal NAT usage from a home or small business allows outbound connections from the private network to the public network. Some programs that run from the private network create connections to Internet resources. The return traffic from the Internet can be translated because the connection was initiated from the private network.

To allow Internet users to access a resource server on your private network, you must do the following:

  1. Configure a static IP address configuration on the resource server including private IP address (from the range of private IP addresses allocated by the NAT computer), subnet mask (from the range of IP addresses allocated by the NAT computer), default gateway (the private IP address of the NAT computer), and DNS server (the private IP address of the NAT computer).

  2. Exclude the IP address configured on the resource computer from the range of IP addresses being allocated by the NAT computer.

  3. Configure a special port. A special port is a static mapping of a public address and port number to a private address and port number. A special port maps an inbound connection from an Internet user to a specific address on your private network. By using a special port, you can create a Web server (or other server type) on your private network that is accessible from the Internet.

VPN connections from a translated branch office

A common deployment option is to use NAT on one or both sides of a connection that links offices in different geographical locations. RRAS in Windows Server 2008 R2 and Windows Server 2008 provides several types of virtual private network (VPN) site-to-site connections. The following table describes the circumstances in which you can use a NAT in conjunction with a VPN connection.

Type of VPN Site-to-Site Connection Can You Use NAT? Description

PPTP

Yes

In most cases, you can locate PPTP-based calling routers behind a NAT-enabled router (or configure one computer as both the calling router and the NAT-enabled router) in order to allow computers with private addresses in a small office or home office network to share a single connection to the Internet. With a VPN connection, the site-to-site connection from the small office to the main office is “tunneled” through the Internet. NAT in RRAS in Windows Server 2008 R2 and Windows Server 2008 includes a NAT editor that can accurately translate PPTP-tunneled data.

L2TP/IPsec

Yes, but only if you use the IPsec NAT Traversal (NAT-T) feature

You can use the IPsec feature called NAT Traversal (NAT-T) to create L2TP/IPsec connections across NAT devices. Using NAT-T requires running Windows Server 2008 or Windows Server 2008 R2 on the calling and answering routers (or appropriately configured third-party routers). With NAT-T, computers with private addresses that are located behind a NAT can use IPsec to connect to a remote site if these computers have the NAT-T update installed (for computers running Windows XP with SP2 or later versions of Windows). Because no NAT editor exists for IPsec, the only way to use L2TP/IPsec over NAT is by implementing NAT-T.

SSTP

Yes

SSTP is available on Windows Vista with SP1, Windows Server 2008 and later versions of Windows.

SSTP-based VPN clients and VPN servers can be located behind a NAT-enabled router. Configure the NAT router to redirect port 443 (HTTPS) to the VPN server.

IKEv2

Yes

IKEv2 is available on Windows 7 and Windows Server 2008 R2.

You can use NAT-T to create IKEv2 connections across NAT devices. Using NAT-T requires running Windows Server 2008 or Windows Server 2008 R2 on the calling and answering routers (or appropriately configured third-party routers). With NAT-T, computers with private addresses that are located behind a NAT can use IPsec to connect to a remote site if these computers have the NAT-T update installed (for computers running Windows XP with SP2 or later versions of Windows). Because no NAT editor exists for IPsec, the only way to use IKEv2 over NAT is by implementing NAT-T.

For more information about NAT, see NAT Technical Reference