Network Address Translation
This module discusses the features and functions of the Microsoft Network Address Translation (NAT) protocol.
When an organization decides to connect to the Internet, a primary consideration is how to provide Internet access for users on the private network while protecting private network resources. One way to provide this protection is to use private IP addresses on the internal network computers. In order to allow these computers to access the Internet, the private IP addresses must be translated into public IP addresses.
This is the function of a NAT server. Windows 10 includes a NAT routing protocol with its Routing and Remote Access Service.
NAT is an appropriate solution for networks that do not require extensive security for their outbound Internet requests.
Limitations of Network Address Translation
If you use NAT for Internet access for your internal computers, you will not be able to control what content the users on the internal network
can access, nor will you be able to control which Internet services users can access based on security group membership.
If you require these capabilities, you need to use a proxy server. You will learn more about the proxy server solution later in this course.
NAT describes the process whereby a device on a given network is presented as having an address on a different network.
While this is often used on a stateful firewall device to translate private network addresses inside an organization to publicly routable IP addresses over the Internet, it is also used as a inadequate solution for multi-homing organizations on the Internet.
- Basic Disconnectivity: NAT provides a basic IPv4 connection but does not address more advanced features which are possible with IPv6 such as large address space, built-in security, scalability, and improved support for quality of service (QoS). NAT also places limitations on serving those with mobile smartphones and other devices which only use IPv6.
- NAT Adds Complexities: Network Address Translation makes managing a network complex and creates more problems with troubleshooting. The reason is that NAT devices add state to a specific location in the network. It is the managing of that state and the requirement of symmetric flows that causes these challenges.
- Problems with Applications: NAT makes application compatibility more difficult since NAT tampers with IP header fields which causes issues with File Transfer Protocol (FTP), IP Telephony (SIP) and Simple Network Management Protocol (SNMP). This means the IP addresses and port numbers must have special consideration and some NAT applications may not work properly. Additionally, some applications need to be rewritten in order for them to support NAT.
- Security Protocol Issues: Internet Protocol Security or IPsec is optional for the protocol to support in IPv4 since IPv4 was established before IPsec. IPsec is mandatory but not a requirement for support in IPv6 and is designed to identify header modifications. This means it is not uncommon for IPsec to reject the header changes which are made by NAT.
- Address Limitations: The lack of access to IP addresses with NAT means that specific functions may fail to work properly which would require applications to be rewritten. IPv6 provides a bigger address space which eliminates the time investment which is necessary when trying to make applications work with NAT.
The bottom line is NAT was the short term solution to address the lack of IPv4 address space. IPv6 represents the answer while NAT simply provides a piecemeal solution. When IPv6 is fully deployed, chances are NAT will no longer be necessary.
At the end of this module, you will be able to:
- List the key features of the NAT protocol
- List the protocols that the NAT protocol does not support
- Describe how to design a functional NAT solution
- Identify the processes required to integrate NAT with other services in Windows 10
- Describe how to select appropriate server options for a NAT solution
In the next lesson, you will learn about the key features of NAT.