(http://www.windowsnetworking.com)

Tweet 1 6 26

Home Articles & Tutorials Windows Server 2008

by Mitch Tulloch [Published on 15 Dec. 2009 / Last Updated on 15 Dec. 2009]

This article walks you through the configuration process for using Windows Server as a NAT router for setting up an isolated test network that has Internet connectivity.

Recently I needed to set up a test network in my office which uses a DSL router to connect to the Internet. The test network needed to be on a different subnet than my office LAN butalso needed Internet connectivity. I decided to install Windows Server 2008 on a spare box that had two network interface cards (NICs), install the Routing and Remote AccessService (RRAS) on the box, and use the box as a router between my Workplace and Test networks (see Figure 1).

Figure 1: Using RRAS as a router to connect two subnets

(http://www.amazon.com/exec/obidos/ASIN/0735624062/isaserver1-20/)

There were basically two ways I could have proceeded. First, I could have configured the RRAS box as an IP router to forward traffic between the two subnets. This would haveallowed clients on the Test network to send packets to servers on the Internet, but it wouldn't enable return traffic to be routed back to the client. The reason is that a packet enteringthe DSL router from the Internet side would be routed to the 172.16.11.0 network and would therefore have no way of reaching a client on the 10.0.0.0 network. A solution to thisproblem would have been to add a static route to the DSL router that directly forwards all packets having a destination address of 10.0.0.x to the Workplace interface of the RRAS box(172.16.11.220). Then, once a packet bound for 10.0.0.x reaches this interface, the RRAS box would then forward the packet to its other interface (10.0.0.1) and from there the packetwould enter the Test network and eventually reach its destination. Unfortunately, I did not have admin access to the DSL router since it was managed by my ISP, so I did not followthis approach.

The other approach I could take, and the one that I actually did choose to implement, was to configure the RRAS box as a Network Address Translation (NAT) router. NAT is an IETFstandard that provides a way for translating the IPv4 addresses of computers on one network into IPv4 addresses of computers on a different network. Of course, the DLS router onmy Workplace network is also configured as a NAT router, so the result of implementing this approach is what is known as cascaded NAT or double NAT. Internet connectivity worksfine through 2 or even 3 cascaded NATs, although a few applications can have problems with this type of network topology. For example, Windows Home Server doesn't seem to likecascaded NATs.

Anyways, after searching online a bit I found that there's lots of confusion around how to set up a two-subnet Internet-connected network like that shown in Figure 1, so I decided towrite this article which walks you through the steps of setting up this kind of scenario.

First, Windows Server 2008 was installed on the double-NIC computer and the IPv4 settings of each NIC was configured as follows:

NIC connected to Test LAN:

IP address = 10.0.0.1

Using Windows Server as a NAT Router

18Me gusta

I ntroduction

I nstalling the Serv er Computer

Home Articles & Tutorials KBase Tips Products Reviews Free Tools Blogs Forums White Papers Contact Us

Subnet mask = 255.0.0.0

Default gateway = none

DNS servers = none

NIC connected to Workplace LAN:

IP address = 172.16.11.220

Subnet mask = 255.255.255.0

Default gateway = 172.16.11.1

DNS servers = the public IP addresses of my ISP's DNS servers

Note that the NIC connected to the Test LAN (10.0.0.0) should not have a default gateway—see KB 157025 here (http://support.microsoft.com/kb/157025) for an explanation of whymultihomed computers (computers connected to multiple networks) should only have one gateway address assigned.

Note also that the NIC connected to the Test LAN has been configured with the IP addresses of public DNS servers. This is not needed in order for the clients on the Test network toaccess the Internet, but it is needed if you want to be able to access the Internet from the RRAS server itself.

(http://banman.isoftmarketing.com/a.aspx?

Task=Click&ZoneID=77&CampaignID=2790&AdvertiserID=35&BannerID=1479&SiteID=7&RandomNumber=2142505457&Keywords=articlestutorialswindowsserver2008%2cusingwindowsservernatrouter)

Windows 7 was then installed on the client computers, after which their IPv4 settings were configured as follows:

IP address = 10.0.0.101 (.102, .103, …)

Subnet mask = 255.0.0.0

Default gateway = 10.0.0.1 (the near-side interface of the RRAS box)

DNS servers = the public IP addresses of my ISP's DNS servers

At this point all the "wires" are connected, but if we try to ping the DSL router from a client computer on the Test network, or if we try to traceroute an address on the public Internetfrom the same client computer, these attempts will fail indicating that the Test network does not yet have Internet connectivity (Figure 2):

Figure 2: Can not ping a public IP address from a client on the Test network

And naturally, if we try to browse the Web from our client machine, this too will fail (Figure 3):

I nstalling the Client Computers on the Test LAN

Figure 3: Can not browse the Web

To enable the client computers on the Test network to access the Internet, we need to install the RRAS role on the server and then configure the server as a NAT router. To install theRRAS role, launch the Add Roles Wizard from Server Manager or OOBE.exe and add the Network Policy and Access Services role (Figure 4):

Figure 4: Installing RRAS step 1

On the next wizard page, select Routing and Remote Access Services to install two role services, Remote Access Service and Routing (Figure 5):

I nstalling and Configur ing RRAS

Figure 5: Installing RRAS step 2

Once the wizard finishes, open the Routing and Remote Access console from Administrative Tools, right-click on the local server and select Configure and Enable Routing andremote Access. This launches the Routing and Remote Access Server Setup Wizard; select Network Address Translation (NAT) on the Configuration page of this wizard as shownin Figure 6:

Figure 6: Configuring RRAS for NAT step 1

Next, on the NAT Internet Connection page, we select the network interface that is on the Workplace LAN, which is the "public interface" of the NAT router (see Figure 7)

Figure 7: Configuring RRAS for NAT step 2

The next page asks us whether the NAT router should also provide DHCP and DNS services to the computers on the Test network, which is connected to the "private interface" of theNAT router. Since our client computers all have static IP addresses assigned, we'll choose not to do this (Figure 8):

Figure 8: Configuring RRAS for NAT step 3

Once the wizard finishes, the RRAS service starts up and the service is configured for both IPv4 routing and NAT. To see this, begin by right-clicking on the local server in the RRASconsole and selecting Properties. The General tab shows that IPv4 routing has been enabled, which means IPv4 packets can be forwarded from one NIC to the other (Figure 9):

Figure 9: Verifying RRAS configuration step 1

Selecting the NAT node in the RRAS console shows that three network interfaces were created when NAT was configured on the server using the Routing and Remote AccessServer Setup Wizard. Figure 10 shows the properties of Local Area Connection, which in this scenario is the network connection to the Test (10.0.0.0) network. Note that NATconsiders this network the "private" network, that is, the network "behind" the NAT router:

Figure 10: Verifying RRAS configuration step 2

Figure 11 shows the properties of Local Area Connection 2, which in this scenario is the network connection to the Workplace (172.16.11.0) network. Note that NAT considers thisnetwork the "public" network, that is, the network "in front of" (on the Internet side of) the NAT router:

Figure 11: Verifying RRAS configuration step 3

The Internal network interface is also added to the NAT configuration as a private interface.

At this point NAT has been configured with IP routing, and if I try and ping the DSL router from a client computer on the Test network, or if I try and traceroute from the same client to aserver on the public Internet, these attempts should now succeed (Figure 12):

Figure 12: Network connectivity verified between the Test network and the Internet

Likewise, if I try and browse the Web from a client computer on the Test network, this too should succeed (Figure 13):

Testing NAT

Figure 13: Computers behind the NAT can browse the Web

I can also monitor NAT activity using the RRAS console. To do this, open the console and select the NAT node and examine the network statistics for Local Area Connection 2 (the"public" or Internet-facing NAT interface) as shown in Figure 14:

Figure 14: Viewing NAT activity

Finally, by right-clicking on this interface and selecting Show Mappings, you can open a separate window that lets you view more details concerning what your NAT router is doing(Figure 15):

Mitch Tulloch is a widely recognizedexpert on Windows administration,networking, and security. He hasbeen repeatedly awarded MostValuable Professional (MVP) statusby Microsoft for his outstandingcontributions in supporting userswho deploy and use Microsoft

platforms, products and solutions.

Figure 15: Viewing detailed NAT activity

By using the Network Address Translation and IP routing capabilities of the RRAS role of Windows Server 2008, you can easily set up a separate test subnet on your network andensure that computers on this test subnet have access to the Internet. This article has walked you through how to set this up step by step.

Conclusion

See Also

Using Window s Server 2008 R2 to Publish Internal

Resources

(http://w w w .w indow snetw orking.com/articles-

tutorials/w indow s-server-2008/Using-Window s-Server-

2008-R2-Publish-Internal-Resources.html)

Configuring Window s Server 2003 to act as a NAT router

(http://w w w .w indow snetw orking.com/articles-

tutorials/w indow s-2003/Configuring-Window s-Server-

2003-act-NAT-router.html)

Virtual Private Netw ork VPN Tips

(http://w w w .w indow snetw orking.com/kbase/Window sTip

s/Window sNT/AdminTips/Netw ork/VirtualPrivateNetw orkV

PNTips.html)

NAT in Window s 2003: Setup and Configuration

(http://w w w .w indow snetw orking.com/articles-

tutorials/w indow s-

2003/NAT_Window s_2003_Setup_Configuration.html)

Window s 2000 DCC and ICS

(http://w w w .w indow snetw orking.com/articles-

tutorials/w indow s-2000/w 2kdcics.html)

What’s New in Window s Server 2012 Netw orking? (Part

7) (http://w w w .w indow snetw orking.com/articles-

tutorials/w indow s-server-2012/w hats-new -w indow s-

server-2012-netw orking-part7.html)

XiNCOM Tw in WAN VPN Gatew ays

(http://w w w .w indow snetw orking.com/hardw are/Firew all

s-VPN/XiNCOM-Tw in-WAN-VPN-Gatew ays.html)

Window s Vista Resource Kit Chapter 23: Supporting

Users Using Remote Assistance (Part 1)

(http://w w w .w indow snetw orking.com/articles-

tutorials/w indow s-vista/Window s-Vista-Resource-Kit-

Chapter-23-Supporting-Users-Using-Remote-Assistance-

Part1.html)

Establishing Redundancy through Demand Dial Routing

(http://w w w .w indow snetw orking.com/articles-

tutorials/netgeneral/Establishing-Redundancy-through-

Demand-Dial-Routing.html)

IPv6 Support in Microsoft Window s

(http://w w w .w indow snetw orking.com/articles-

tutorials/netw ork-protocols/IPv6-Support-Microsoft-

Window s.html)

The Author — Mitch Tulloch

Latest Contribut ions

Provisioning Virtual Machine Clouds w ith Window s Azure

Pack (Part 1)

(http://w w w .w indow snetw orking.com/articles-

tutorials/cloud-computing/provisioning-virtual-machine-

clouds-w indow s-azure-pack-part1.html)

on 15 May 2014 (2014-05-15 12:00)

Deploying Window s Azure Pack (Part 6)

(http://w w w .w indow snetw orking.com/articles-

tutorials/cloud-computing/deploying-w indow s-azure-pack-

part6.html) on 1 May 2014 (2014-05-01 11:58)

Deploying Window s Azure Pack (Part 5)

(http://w w w .w indow snetw orking.com/articles-tutorials/cloud-computing/deploying-w indow s-azure-pack-

part5.html) on 17 April 2014 (2014-04-17 10:45)

Deploying Window s Azure Pack (Part 4)

(http://w w w .w indow snetw orking.com/articles-

tutorials/cloud-computing/deploying-w indow s-azure-pack-

part4.html) on 3 April 2014 (2014-04-03 11:58)

Deploying Window s Azure Pack (Part 3)

(http://w w w .w indow snetw orking.com/articles-

tutorials/cloud-computing/deploying-w indow s-azure-pack-

part3.html) on 20 March 2014 (2014-03-20 11:55)

TechGenix Ltd is an online mediacompany which sets the standardfor providing free high qualitytechnical content to ITprofessionals.(http://www.techgenix.com)

Microsoft Exchange Server Resource Site:Articles & Tutorials(http://www.msexchange.org/)

Network Security Articles for WindowsServer 2003, 2008 & Vista(http://www.windowsecurity.com/)

The essential Virtualization resource sitefor administrators.(http://www.virtualizationadmin.com/)

Microsoft ISA Server Firewall ResourceSite: Articles & Tutorials(http://www.isaserver.org/)

CloudComputingAdmin.com | CloudComputing Resource Site for IT Pros(http://www.cloudcomputingadmin.com/)

Networking & Server software / hardwarefor Windows 2003, 2000, NT & Linux(http://www.wservernews.com/)

About Us Advertise With Us Contact Us

WindowsNetworking.com is in no way affiliated with Microsoft Corp. Copyright © 2014, TechGenix Ltd (http://www.techgenix.com/). All rights reserved. Please read our Privacy Policy (/pages/privacy.html) and Terms & Conditions (/pages/terms.html).