NAT Protocol  «Prev  Next»

Lesson 5Integrating NAT into the existing Network
ObjectiveIdentify the processes required to integrate NAT with other services in Windows

Integrating NAT into the Existing Network

The NAT server in your network design must have at least two interfaces: one that connects to the Internet and one that connects to the private network. You should consider this the minimum configuration.
NAT is, however, able to support multiple interfaces with external network connections. Alternatively, you may prefer to have a single external network interface, and bind multiple IP addresses to a single external interface.
Remember that although NAT supports multiple external interfaces, you should limit the internal interface to a single adapter. Internal interfaces will become an issue if you choose to use the DHCP Allocator. The DHCP Allocator can only support a single network ID, so all internal interfaces must be located on a single internal network ID. Microsoft® documentation suggests that network clients connected to different physical segments may be assigned duplicate IP addresses, which would prevent internetwork communication between the segments.
For each NAT server interface, you must describe the interface characteristics so that you can integrate the NAT server into the existing network. The following MouseOver discusses the necessary steps for integrating NAT.

  1. Isolate the network traffic to the source destination and intermediary network segments. 2. Create a screened subnet within the private network, thereby protecting confidential data. 3. Exchange network packets between dissimilar network segments, such as between an ethernet network segment and (ISDN) Integrated Services Digital Network.
  2. an IP address and subnet mask.
  3. be within the range of addresses that are assigned to the network segment that is directly connected to the interface.
  4. Match the subnet mask that is assigned to the network segment, which is directly connected to the interface.
  5. These network segments can be persistent or non-persistent. Another way of referring to persistence is to think of a connection as dedicated versus dial-up
    1. A dedicated network connection is persistent
    2. A dial-up connection is non-persistent
  6. specify the data rate and persistence for each NAT server interface, so that the NAT server can connect to private and public network segments.
  7. The data rate of the private network segment is determined by the local area network (LAN) technology.
    Such as a 100 megabits per second (Mbps) data transfer rate for 100 Mbps Ethernet.
  8. Public network segments that appear to the NAT server as LAN interfaces are persistent, and the data rate is determined by the LAN technology.
  9. Public network segments that appear as dial-up or demand-dial interfaces are nonpersistent, and the data rate is determined by the underlying technology.
    An example of this would be a 56 kbps dial-up modem connection that supports a maximum data rate of 56 kbps.
  10. you can include demand-dial interfaces, such as a VPN connection over a digital subscriber line (DSL) connection.
    Include a demand-dial interface in your solution when an exchange of credentials, such as VPN, tunnel authentication, is required to perform authentication, or when charges such as ISDN connection charges are accumulated.


One of the decisions you need to make is how do you want to allow your containers to communicate to the corporate network or outside work in general. Figure 3-11 presents a diagram showing how a container connects to the outside world.

Figure 2-5: Containers network connectivity
As Figure 2-5 demonstrates, each container will connect via vNIC (Windows Server container) or a vmNIC (Hyper-V container) to the vSwitch configured in a host. Each vNIC is isolated from the next and is considered its own compartment. These vNICs connect to the vSwitch by ports (much like Hyper-V). The Physical Host vNIC is isolated from the containers. Network connectivity to Hyper-V containers is transparent to the utility VM through the vmNIC. External connectivity is provided in a number of ways. Each one depends on the scenario you are using for containers. For example, if you want to offer a container environment for developers, Network Address Translation (NAT) is the best option for container network. It provides a private IP space (IPs issued via DHCP) that is isolated from the outside world. It restricts cross-container connectivity but does give you the ability to port forward into the container environment with which you are working. Any traffic arriving on the public NAT IP (the external NIC IP of the host) will be compared to a table managed via WinNAT and forwarded into the container. If the developers or the business required a small deployment and required that the containers sit on the corporate IP space, you can use transparent networking for containers. This just uses (via DHCP or Static Assignment) your existing IP space to assign IPs to the containers you run. If you do not use DHCP, you are unable to set a Gateway IP address. In transparent networking, containers can communicate with one another and external services like SQL and so on.

Integrating Nat into existing Network
In the next lesson, you will learn how to select the appropriate server options for a NAT solution.