Unicast IP Routing

Previous Topic Next Topic

NAT Processes in the Windows 2000 Router

For the Windows 2000 Routing and Remote Access service, the NAT component is a routing protocol known as Network Address Translation or NAT. The NAT component can either be enabled by adding Network Address Translation as a routing protocol in the Routing and Remote Access snap-in.


note-icon

Note

NAT services are also available with the Internet connection sharing feature available from the Network and Dial-up Connections folder. Internet connection sharing performs the same function as the NAT routing protocol in the Routing and Remote Access service but it allows very little configuration flexibility. For information about configuring Internet connection sharing and why you would choose Internet connection sharing over the NAT routing protocol of the Routing and Remote Access service, see Windows 2000 Server Help.

Installed with the NAT routing protocol are a series of NAT editors. NAT consults the editors when the payload of the packet being translated matches one of the installed editors. The editors modify the payload and return the result to the NAT component.

NAT interacts with the TCP/IP protocol in two important ways:

Figure 3.23 shows the NAT components and their relation to TCP/IP and other router components.

Figure 3.23    NAT Components
Enlarge figure

Figure 3.23 NAT Components

Outbound Internet Traffic

For traffic from the private network that is outbound on the Internet interface, the NAT first assesses whether or not an address/port mapping, static or dynamic, exists for the packet. If not, a dynamic mapping is created. The NAT creates a mapping depending on whether there are single or multiple public IP addresses available.

After mapping, the NAT checks for editors and invokes one if necessary. After editing, the NAT modifies the TCP, UDP, and IP headers and forwards the frame using the Internet interface.

Figure 3.24 shows the NAT processing for outbound Internet traffic.

Figure 3.24    NAT Processing of Outbound Internet Traffic
Enlarge figure

Figure 3.24 NAT Processing of Outbound Internet Traffic

Inbound Internet Traffic

For traffic from the private network that is inbound on the Internet interface, the NAT first assesses whether an address/port mapping, static or dynamic, exists for the packet. If a mapping does not exist for the packet, it is silently discarded by the NAT.

This behavior protects the private network from malicious users on the Internet. The only way that Internet traffic is forwarded to the private network is either in response to traffic initiated by a private network user that created a dynamic mapping or because a static mapping exists so that Internet users can access specific resources on the private network.

After mapping, the NAT checks for editors and invokes one if necessary. After editing, the NAT modifies the TCP, UDP, and IP headers and forwards the frame using the private network interface.

Figure 3.25 shows the NAT processing for inbound Internet traffic.

Figure 3.25    NAT Processing of Inbound Internet Traffic
Enlarge figure

Figure 3.25 NAT Processing of Inbound Internet Traffic

© 1985-2000 Microsoft Corporation. All rights reserved.