1. NAT-Based Network Planning
A friend once asked me if I had a large data center with 100 machines in my unit. Is there any good way to achieve Internet access for every computer? In my opinion, using proxy is a method, but the workload is heavy. We need to install client software for each machine separately, and also set IP addresses, gateways, DNS servers, and so on. Later, I came up with a good method, that is, creating a NAT server and configuring DNS and DHCP servers on the server. Every workstation can automatically access the Internet with simple settings, it also allows computers outside the network to directly access specific computers on the Intranet.
2. Specific steps for server component configuration
1. enable routing on the dial-up port
If the connection to the Internet is a permanent connection, it is a LAN interface (such as DDS, T-Carrier, frame relay, permanent ISDN, xDSL, or cable modem) in Windows 2000 ); or, before a computer running Windows 2000 connects to the Internet, it connects to another vro, while the LAN interface configures the IP address, subnet mask, and default gateway statically or through DHCP, skip the step of adding a NAT route selection protocol. For more information about how to enable routing on a dial-up port, see "enable routing on a port.
2. Use the dialing interface to connect
The Internet requires a modem and a dial-up connection provided by the ISP provider.
3. Create a default static route using the Internet interface
For the default static route, you need to select the request dialing interface (for dial-up connection) or LAN interface (for permanent or intermediary router connection) used to connect to the Internet ). The target location is 0.0.0.0 and the network mask is 0.0.0.0. The IP address of the gateway cannot be configured for the request dialing interface.
4. Add a NAT route selection Protocol
The procedure is as follows: Open Routing and Remote Access; In the console directory tree, click "server name-IP route-General"; right-click "General ", click new route entry protocol. In the route entry protocol dialog box, click Network Address Translation, and then click OK ".
5. Add Internet and internal network interfaces to the NAT Routing Protocol
Specific Operation: Open Routing and Remote Access; In the console directory tree, click "server name-IP route-General"; right-click "General ", click new route entry protocol. In the route entry protocol dialog box, click Network Address Translation, and then click OK ".
6. Enable Network Address Translation addressing
In the Routing and Remote Access console directory tree, right-click "NAT" and choose "properties". On the "address assignment" tab, select the "automatically assign IP addresses by using DHCP" check box. In "IP address" and "Mask", configure the IP address range to be allocated to the DHCP client on the private network. Click "exclude ", configure the addresses excluded from the IP addresses assigned to the vpc dhcp client, and then click? Quot; OK ";
7. Enable Network Address Translation name resolution
In the Routing and Remote Access console directory tree, click "NAT"; right-click NAT and select "properties"; on the "name resolution" tab, for DNS server host name resolution, select the "use Domain Name System (DNS) Customer" check box. When a host on a private network sends a DNS name query to a NAT computer, you need to initialize a connection to the Internet. Select the "connect to public network when the name needs to be resolved" check box, then, click the appropriate name of the Request dialing interface in "request dialing interface. Note that the Network Address Translation and addressing function only assigns addresses from a single range corresponding to a single subnet. If you add an intranet LAN interface to the NAT routing protocol, use a single subnet configuration (all LAN interfaces are connected to the same network ). If the LAN interface is connected to different networks, customers on different networks cannot connect.
Iii. Important Notes
1. if the server is a Windows 2000 Active Directory domain member and you are not a domain administrator, instruct the domain administrator to add the computer account of this server to the "RAS and IAS server" Security Group in the domain, this server is a member of this domain. There are two methods: one is to Add a computer to a security group by using Active Directory, and the other is to use the Netsh Ras Add Registeredserver command, the domain administrator can add a computer account to the "RAS and IAS server" Security Group.
2. When configuring the IP address of the internal network interface, make sure that your server has two network connections before configuring the address translation (NAT) server. In this example, we have installed two NICs on the server. One IP address is 202.204.219.111, which is an external address and can be directly connected to the Internet. The other IP address is 192.168.0.1, subnet Mask: 255.255.255.0. There is no default gateway. It acts as an interface for internal network connection and is in the same network segment (192.168.0.0) as the internal customer computer ).
4. Configure other computers on the internal network
Configure the TCP/IP protocol on other computers in the internal network to automatically obtain the IP address, and then restart the computer. When the computer on the internal network switches from the network address to the computer and receives the IP address configuration, the user will automatically obtain:
1. IP Address: the IP address range is 192.168.0.0;
2. subnet mask: 255.255.255.0;
3. Default Gateway: IP address (Public Address) of the Internet connection interface of the NAT server );
4. DNS server: IP address (Public Address) of the Internet connection interface of the NAT server ).
5. Advanced knowledge points
Advanced Network Address Translation settings
1. If the ISP service provider has provided an available public IP address, we can set the IP address of the Internet connection interface of the NAT server to this IP address.
2. If a user on the Internet wants to access resources on the internal network, a special port needs to be added. This Port maps the public IP address and number of ports to the internal network IP address and number of ports.