I. Overview of ICS and NAT

A. Introduction

1. ICS (Internet Connection Sharing) and NAT (Network Address Translation) offer a simple and inexpensive way for SOHO networks (Small Office/Home Office) to connect to the Internet. SOHO networks generally have the following:

a. A single segment network

b. Peer-to-peer networking

c. A single protocol (TCP/IP)

d. A demand-dial or dedicated link connection via an ISP

B. Why Share an Internet Connection?

a. Translated connections (those which transparently transfer packets between one network and another) offer security, and both ICS and NAT use translation connections.

b. ICS and NAT offer simplicity, ease of setup and configuration with low administrative overhead, at a fraction of the cost of other solutions.

c. Only one physical connection (dial-up or permanent) is needed to the Internet, and all other computers in the network can share that connection

C. What’s the Difference Between ICS and NAT?

Both ICS and NAT offer address translation, address assignment, and name resolution, but more functions and greater flexibility are available with NAT. ICS is a cut-down, simplified version of NAT.

1. Features of ICS

a. The ICS computer must have two network connections: one to your internal network with a private address, and the other to the Internet.

b. ICS is configured using the Make New Connection Wizard in Windows 2000.

c. ICS can be used on a single segmented private network with up to 254 workstations.

2. NAT Features

a. NAT can only be run on a Windows 2000 Server through the RRAS snap-in as a routing protocol.

b. NAT supports multiple subnets and multiple adapters.

c. Multiple Public Addresses are available on the NAT Server.

ICS only permits one Internet IP address, while NAT can support multiple Internet adapters and/or Internet address pools.

D. What’s the Difference Between an Address Translation Service and a Proxy Server Service?

1. Microsoft’s Proxy Server is aimed at large and complex corporate networks, NAT is intended for medium-to-small networks, and ICS is used for the smallest and simplest of networks.

2. Application Layer vs. Network Layer

A proxy server works at the Session or Application Layer; NAT works at the Network Layer.

3. Administrative Overhead

a. A proxy server may be a more expensive solution for a SOHO due to the administrative overhead required for proxy setup.

b. A proxy server offers better security and greater flexibility than ICS or NAT.

c. Unlike ICS and NAT, Proxy Server supports Windows clients that don’t use TCP/IP, such as workstations running IPX who use a proxy server to access Internet servers.

E. Using VPNs in a SOHO Environment

1. ICS and NAT enable each SOHO workstation to create its own VPN connection.

2. PPTP (versus L2TP/IPSec) is required because IPSec is one of the protocols that NAT cannot translate.

F. How Address Translation Works

Network address translation works by translating a private address to a public address (and vice versa) using translation, addressing assignment, and name resolution.

1. Translation

For NAT to translate packets between a private network and a public network, the packets must have an IP address in the IP header, and packets must have TCP port numbers in the TCP header (or have UDP port numbers in the UDP header).

a. NAT Editors

When the packet formats are recognized as requiring further processing, NAT passes those packets to the appropriate NAT editor to modify so that the packets can be translated correctly. After being edited, the packets are returned to the NAT service.

2. Addressing Assignment

This configuration authorizes an IP address, subnet mask, default gateway, and IP address of a DNS/WINS server for client workstations.

a. The DHCP Allocator

This is automatically invoked with ICS, which means that the computer will automatically assign IP addresses to other workstations on the same subnet and assign the default gateway. There is no WINS server allocation.

b. With NAT, you have a choice of whether to use the built-in DHCP allocator, the standard DHCP server installed on your network, or assign static addresses. Table 10-1 on page 724 shows the predefined settings for the DHCP allocator.

3. Host Name Resolution

ICS and NAT allow both local and remote DNS names to be resolved. DNS proxying will be used to resolve Internet names to IP addresses.

4. NetBIOS Name Resolution

There is no WINS server with ICS, therefore resolving \\computer_name\sharename must be resolved by broadcast. Using an LMHOSTS file will keep these broadcasts to a minimum.

a. NAT as a WINS Proxy

This configuration behaves in the same way as DNS proxying, except requests go to the server’s local WINS server rather than out to the Internet.

G. Dynamic vs. Static Mapping

1. Dynamic Mappings

The default setting will translate the address, as well as the source port.

2. Static Mappings

This function enables you to define how the address and/or ports should be mapped rather than letting ICS or NAT make this decision. Static mapping is required if you want to host Internet services on your private network.

3. Mappings for Outbound Internet Traffic

In order for a private network to access the Internet, the static mappings you’ve defined or a dynamic mapping that is in memory is required.

4. Mappings for Inbound Internet Traffic

When Internet connection requests are received from the Internet, which will happen if you host your own FTP server on a private network, ICS or NAT assesses whether a mapping exists for the destination address and port number.

H. Private vs. Public IP Addresses

1. Private Address Ranges

Private addresses cannot receive traffic directly from the Internet. Private address ranges are as follows:

a. 10.0.0.0 with the subnet mask 255.0.0.0

b. 172.16.0.0 with the subnet mask 255.240.0.0

c. 192.168.0.0 with the subnet mask 255.255.0.0

d. IP Addressing Issues on the Internal Network

se private addresses on your network even if you initially have no plans to connect to the Internet in order to avoid illegal or overlapping IP addressing (using addresses that InterNIC has assigned to another company or individual). This makes administration easier if you later decide to connect to the Internet.

2. Perform Exercise 10-1 on page 730: Walkthrough of Address Translation in Action.

II. Internet Connection Sharing

A. Creating and Sharing a Dial-up Connection

Choose and configure a computer to be the "host" computer in your SOHO; that is, configure one computer to connect to the Internet (through an ISP, for example). Check the properties box of this connection; Enable Internet Connection Sharing For This Connection.

1. Application-Specific Mappings

Set these in the Applications tab, allowing you to specify static mapping for outbound connections.

2. Service-Specific Mappings

Set these in the Services tab to allow you to offer Internet services, such as servers for Web, FTP, mail, or news.

3. Perform Exercise 10-2 on page 734: Enabling Internet Connection Sharing for Dynamic Mapping.

B. Configuring Connection Sharing on Clients

All clients requiring Internet access through the ICS "host" computer will need to have their Internet Explorer (IE) browser configured to use it.

1. Perform Exercise 10-3 on page 735: Enabling Internet Connection Sharing for a Static Mapping.

2. The first time IE is started, you’ll need to go through the steps outlined on page 736.

C. Limitations of ICS

1. See the list on pages 737. If any of these pertain to your SOHO, consider using NAT.

III. Network Address Translation

A. Enabling RRAS with NAT on the Server

Use the Wizard to guide you though setting up NAT. You could also disable your existing RRAS and reenable it to invoke the Wizard.

B. Ensuring RRAS is Configured for Routing

See Figure 10-1 on page 739.

C. Installing the NAT Protocol

This is necessary if the RRAS snap-in is already opened with RRAS service enabled yet no NAT support is present.

D. Configuring Global NAT Properties

See Figure 10-2 on page 739. Perform Exercise 10-4 on page 740: Installing the NAT Protocol.

E. Configuring NAT Interface Properties

1. Adding the Interfaces to NAT

After installation, it is necessary to instruct NAT on which interfaces to use because the computer won’t automatically use it on all interfaces. You must add at least two interfaces.

2. Configuring IP Address Ranges

This is done in the Address Pool tab.

3. Configuring Interface Special Ports

This is done in the Special Ports tab.

4. When NAT is installed and configured, it should look similar to Figure 10-3 on page 743.

F. Monitoring NAT

Do this through the RRAS snap-in by viewing statistics for each NAT interface.

IV. Troubleshooting ICS and NAT

A. Common Troubleshooting Issues

1. Address Assignment

Connectivity issues arise between the client workstation, the ICS/NAT computer, and the Internet resource. For a list of these, see pages 745-746.

2. Network Address Translation

This concerns how applications work through a translated connection. For a list of these issues, see page 746.

3. Internet Name Resolution

This applies to how friendly Internet names are resolved to IP addresses without using DNS (for example, www.microsoft.com is translated to 207.46.130.45).

4. Other Configuration Issues

See the list on page 747.

5. Miscellaneous

Check the System Event Log for errors or warnings.

6. Perform Exercise 10-5 on page 748: Detecting a Conflicting DHCP Server.