Routing and filtering network traffic - Part 3: Network Address Translation

Network Address Translation (NAT) technology was developed to provide a temporary solution to the problem of running out of IPv4 addresses. NAT is a method of connecting multiple computers to the Internet, ...

Routing and filtering network traffic - Part 3: Network Address Translation Picture 1Routing and filtering network traffic - Part 3: Network Address Translation Picture 1 Routing and filtering network traffic - Part 1
Routing and filtering network traffic - Part 3: Network Address Translation Picture 2Routing and filtering network traffic - Part 3: Network Address Translation Picture 2 Routing and filtering network traffic - Part 2

Network Address Translation

Since IPv4 addresses are a limited resource and it's time to be alarming, most ISPs provide only one address for a particular customer. In most cases, this address is dynamically assigned, so each time the client connects to the IPS, another address will be provided. Large companies can buy additional addresses, but small companies and home users cannot afford it. Since such users only receive one IP address, they can only have one computer connected to the Internet at a time.

Overview of NAT (Network Address Translation)

Network address translation (NAT) technology was developed to provide a temporary solution to the problem of running out IPv4 addresses. NAT is a method of connecting multiple computers to the Internet (or any IP network) using an IP address. With the NAT gateway running on a computer, it can share addresses between local computers and connect them all to the Internet at the same time. The outside world did not know this division but only thought that only one computer was connected.

To overcome some security issues, some firewall products have been provided. These firewalls are placed between users and the Internet to verify all traffic before allowing it to pass. This means, unauthenticated users will not be allowed to access corporate files or email servers.

NAT automatically provides firewall protection without installation. The basic purpose of NAT is to concatenate traffic from the internal network and express it to the Internet as if it were sent from a computer with that unique IP address. TCP / IP protocols allow multiplexing so that any computer can maintain multiple connections simultaneously with the remote computer. For example, an internal client can connect to an external FTP server, but an external client cannot connect to an internal FTP server because it must create a connection and NAT does not allow it. that. However, it is still possible to make some internal servers available to the outside world by mapping the sending of data, which is known as TCP ports for internal addresses. Specifically, this will create services such as FTP or web available in a controlled manner.

A modern NAT gateway must change the source address on the outgoing packets so that it becomes a public address. Therefore, it also renames the source ports to become unique, thereby tracking each client connection. The NAT gateway uses a port mapping table to remember how it renames ports for each packet sent by the client. The port mapping table is associated with the client's internal IP address and the source port plus its translated source port number for the destination address and port. Therefore, the NAT gateway can reverse the process of returning packets and route them back to the correct clients.

Enable NAT

To enable NAT addressing, you can follow these steps:

  1. Open Routing and Remote Access .
  2. To add NAT, right-click General under IPv4 and select New Routing Protocol . Select NAT and click OK .
  3. In the console tree, click NAT under IPv4 .
  4. Right-click NAT , and then click Properties .
  5. On the Address Assignment tab, select Automatically Assign IP Addresses with the checkbox Using the DHCP Allocator .
  6. (Optional) To find DHCP clients on a private network, in IP address and Mask, configure the range of IP addresses.
  7. (Optional) To exclude addresses from a certain location for DHCP clients on a private network, click Exclude , Add , and then configure the addresses.

To specify internal and external interfaces, right-click NAT under IPv4 and select New Interface . Select the physical interface and click OK . Designating Private Interface Connected to the Private Network or Public Interface Connected to the Internet . If you choose Public Interface Connected to the Internet, you will have to choose Enable NAT on This Interface. Click OK .

To forward a protocol to a certain internal server via the NAT server, follow these steps:

  1. Right-click on the general interface and select Properties .
  2. Select the Services and Ports tab
  3. Select the protocol you want to forward.
  4. When the Edit Services dialog box appears, specify a private address and click OK to close the Edit Services dialog box.
  5. Click OK to close the Properties dialog box.

NAT and Teredo

IPv6 traffic created with Teredo tunnel is not the subject of IPv4 packet filtering of NATs. Although this may seem like Teredo traverses NAT and allows IPv6 traffic that has hidden malicious code on private networks, let us consider the following issues:

  1. Teredo does not change the behavior of NATs. Teredo clients create dynamic NAT translation table entries for their own Teredo traffic. The NAT forwards Teredo traffic sent to the host that created the corresponding NAT translation table. The NAT does not forward Teredo traffic to computers on the private network without Teredo clients.
  2. Teredo clients using stateful firewalls that support IPv6 traffic (such as Windows Firewall) are protected against unsolicited incoming IPv6 traffic. Windows Firewall is enabled by default for Windows XP SP2, Windows Vista, and Windows Server 2008.

If you want Teredo to communicate via a Windows Server 2008 computer with a firewall enabled, you need to configure the firewall to allow Teredo to be used.


Some multiple choice questions about knowledge

1. Have a Windows Server 2008 computer in the corporate office and a Windows Server 2008 computer in another remote location. To configure routing on the server at the branch office, what do you need to do?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 3Routing and filtering network traffic - Part 3: Network Address Translation Picture 3

A.

Install the Routing and Remote Access role and enable IPv4 LAN routing.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 4Routing and filtering network traffic - Part 3: Network Address Translation Picture 4

B.

Run the command netsh interface ipv4 enable.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 5Routing and filtering network traffic - Part 3: Network Address Translation Picture 5

C.

Enable NAT by executing the netsh NAT enable command.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 6Routing and filtering network traffic - Part 3: Network Address Translation Picture 6

D.

Install the NPS role on the server.

2. There is a Windows Server 2008 server. You need to add a new static route to the routing table on the server. This new route to the network ID is 192.168.126.0 and subnet mask 255.255.255.0, using the default gateway is 192.168.125.1. What command do you need to use to do this?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 7Routing and filtering network traffic - Part 3: Network Address Translation Picture 7

A.

route -p 192.168.126.0 mask 255.255.255.0 192.168.125.1 metric 2

Routing and filtering network traffic - Part 3: Network Address Translation Picture 8Routing and filtering network traffic - Part 3: Network Address Translation Picture 8

B.

route add 192.168.126.0 mask 255.255.255.0 192.168.125.1 metric 2

Routing and filtering network traffic - Part 3: Network Address Translation Picture 9Routing and filtering network traffic - Part 3: Network Address Translation Picture 9

C.

route add 192.168.126.0 255.255.255.0 192.168.125.1 metric 2

Routing and filtering network traffic - Part 3: Network Address Translation Picture 10Routing and filtering network traffic - Part 3: Network Address Translation Picture 10

D.

route add 192.168.126.0 mask 255.255.255.0 gateway 192.168.125.1 metric 2

3. For a network with several subnets. Windows Server 2008 router has been used to connect subnets. A static route is required. Static routers are not deleted from the routing table when the computer is restarted. Which of the following parameters needs to be used with the route command?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 11Routing and filtering network traffic - Part 3: Network Address Translation Picture 11

A.

/ f

Routing and filtering network traffic - Part 3: Network Address Translation Picture 12Routing and filtering network traffic - Part 3: Network Address Translation Picture 12

B.

/S

Routing and filtering network traffic - Part 3: Network Address Translation Picture 13Routing and filtering network traffic - Part 3: Network Address Translation Picture 13

C.

/ r

Routing and filtering network traffic - Part 3: Network Address Translation Picture 14Routing and filtering network traffic - Part 3: Network Address Translation Picture 14

D.

/ p

4. A server is running Windows Server 2008. Your task is to prevent the computer from setting up communication sessions to other computers using TCP port 21. What should you do?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 15Routing and filtering network traffic - Part 3: Network Address Translation Picture 15

A.

From Windows Firewall, add an exception.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 16Routing and filtering network traffic - Part 3: Network Address Translation Picture 16

B.

From Windows Firewall, enable the option Block All Incoming Connections

Routing and filtering network traffic - Part 3: Network Address Translation Picture 17Routing and filtering network traffic - Part 3: Network Address Translation Picture 17

C.

From the Windows Firewall with Advanced Security snap-in, create an inbound rule.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 18Routing and filtering network traffic - Part 3: Network Address Translation Picture 18

D.

From Windows Firewall with Advanced Security snap-in, create an outbound rule.

5. Have a Windows Server 2008 computer. To disable all connections to the server, what do you need to do?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 19Routing and filtering network traffic - Part 3: Network Address Translation Picture 19

A.

From the Services snap-in, disable the Server service.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 20Routing and filtering network traffic - Part 3: Network Address Translation Picture 20

B.

From the Services snap-in, disable the Net Logon service service.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 21Routing and filtering network traffic - Part 3: Network Address Translation Picture 21

C.

Disable Windows Firewall with Advanced Security.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 22Routing and filtering network traffic - Part 3: Network Address Translation Picture 22

D.

From Windows Firewall, activate the Block All Connections option on the Domain Profile.

6. Your network consists of 7 subnets. All subnets are connected by Windows Server 2008 machines using RRAS. Unstable demand-dial connections have been configured. You do not want to put a lot of effort into upgrading the routing tables, but you just want any changes to the network topology to be immediately available. Which of the following options do you need to select?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 23Routing and filtering network traffic - Part 3: Network Address Translation Picture 23

A.

Static routes

Routing and filtering network traffic - Part 3: Network Address Translation Picture 24Routing and filtering network traffic - Part 3: Network Address Translation Picture 24

B.

ICMP

Routing and filtering network traffic - Part 3: Network Address Translation Picture 25Routing and filtering network traffic - Part 3: Network Address Translation Picture 25

C.

OSPF

Routing and filtering network traffic - Part 3: Network Address Translation Picture 26Routing and filtering network traffic - Part 3: Network Address Translation Picture 26

D.

RIPv2

7. The network consists of three different subnets. Dynamic routing is being implemented on three computers running Windows Server 2008, with Routing and Remote Access of these computers enabled. You open the Routing and Remote Access console on the first server and configure the computer for LAN routing. Then select New Routing Protocol from the General button in the IP Routing button and select RIP version 2 for Internet Protocol from the New Routing Protocol dialog box. What is the next thing you need to do?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 27Routing and filtering network traffic - Part 3: Network Address Translation Picture 27

A.

Add the IP address of the DHCP server to the properties dialog box for the DHCP Relay Agent.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 28Routing and filtering network traffic - Part 3: Network Address Translation Picture 28

B.

Add the interface that RIP will run, using the RIP node.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 29Routing and filtering network traffic - Part 3: Network Address Translation Picture 29

C.

Use the route command to configure routes to remote subnets.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 30Routing and filtering network traffic - Part 3: Network Address Translation Picture 30

D.

Use the route command to delete all static routers from routing tables.

8. You are a network administrator for your company. All servers are running Microsoft Windows Server 2008. Some servers are configured as routers with RIP enabled. You want to exclude from appearing routing loops. So you have opened the properties window of the interface assigned to the RIP protocol and selected the Advanced tab. Which of the following options meets those requirements?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 31Routing and filtering network traffic - Part 3: Network Address Translation Picture 31

A.

Enable split-horizon processing.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 32Routing and filtering network traffic - Part 3: Network Address Translation Picture 32

B.

Activates triggered updates

Routing and filtering network traffic - Part 3: Network Address Translation Picture 33Routing and filtering network traffic - Part 3: Network Address Translation Picture 33

C.

Handle host routes in received messages

Routing and filtering network traffic - Part 3: Network Address Translation Picture 34Routing and filtering network traffic - Part 3: Network Address Translation Picture 34

D.

Disable subnet summarization

9. You have a network with several Windows Server 2008 computers. Your company has just opened a remote office. You are responsible for configuring a two-way demand-dial connection between the corporate office and the remote office. You configure the demand-dial routers with the following settings:

    1. Corporate Office Router Settings:
      1. Interface: SRV02_Public
      2. User Account: SRV02
      3. Calling Number: 555-3434
    1. Site Router Settings:
      1. Interface: SRV01_Public
      2. User Account: SRV01
      3. Calling Number: 555-1212

When performing your configuration test, see if the router can establish a connection. What do you need to do now?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 35Routing and filtering network traffic - Part 3: Network Address Translation Picture 35

A.

Change the interface name on the router in the main office to SRV01_Public.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 36Routing and filtering network traffic - Part 3: Network Address Translation Picture 36

B.

Change the demand-dial interface name on each router so that it corresponds to the name of the user account on the remote answering router.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 37Routing and filtering network traffic - Part 3: Network Address Translation Picture 37

C.

Change the interface name on the router in the branch office to SRV02_Public.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 38Routing and filtering network traffic - Part 3: Network Address Translation Picture 38

D.

Change the name assigned to user accounts on each router so that they are the same.

10. You have a Windows Server 2008 server that is configured as a NAT server. Your task is to ensure that administrators can access the server named FS1 by FTP. What do you need to do here?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 39Routing and filtering network traffic - Part 3: Network Address Translation Picture 39

A.

Configure NAT1 to forward ports 20 and 21 to FS1.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 40Routing and filtering network traffic - Part 3: Network Address Translation Picture 40

B.

Configure NAT1 to forward ports 80 and 443 to FS1.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 41Routing and filtering network traffic - Part 3: Network Address Translation Picture 41

C.

Configure NAT1 to forward port 25 to FS1.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 42Routing and filtering network traffic - Part 3: Network Address Translation Picture 42

D.

Configure NAT1 to forward port 3389 to FS1.

11. You have a Windows Server 2008 server with IPv4, IPv6 and NAT at the corporate office and branch offices. What do you need to do here to allow IPv6 computers from the corporate office and branch offices to use Teredo to communicate with each other?

Routing and filtering network traffic - Part 3: Network Address Translation Picture 43Routing and filtering network traffic - Part 3: Network Address Translation Picture 43

A.

Configure dynamic NAT on the firewall.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 44Routing and filtering network traffic - Part 3: Network Address Translation Picture 44

B.

Configure the firewall to use Teredo.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 45Routing and filtering network traffic - Part 3: Network Address Translation Picture 45

C.

Activate static routes between two networks.

Routing and filtering network traffic - Part 3: Network Address Translation Picture 46Routing and filtering network traffic - Part 3: Network Address Translation Picture 46

D.

Load the Teredo emulator

Answers to the above questions

  1. Answer A is correct. You need to install the Routing and Remote Access role and then need to enable IPV4 LAN routing. Question B is wrong because the netsh command is not used to enable routing but it can only be used to configure the interface. network. Answer C later because NAT cannot be routed and you cannot use the netsh command to enable NAT. Answer D is also wrong because NPS does not allow routing. NPS is used as a RADIUS server and allows the implementation of RADIUS policies.
  2. Answer B is correct. The correct syntax for adding new static routes with the route command is route add mask metric . Sentences A, C and D are wrong because they do not use the correct syntax.
  3. Answer D is correct. You use the / p parameter to add a persistent route to the routing table. This route will not be deleted from the routing table when the router restarts. The remaining sentences are wrong.
  4. Answer D is correct. You need to create a rule for outbound rules by using Windows Firewall with Advanced Security snap-in to lock port 21. Answers A and B are incorrect because you are using Windows Firewall with Advanced Security snap- Print to Windows Server 2008 computer to adjust what it provides on standard Windows Firewall. In addition, an exception will be used to allow traffic, if you block all incoming connections, other protocols will also be blocked and no traffic will be able to pass through the server. Answer C is incorrect because you want a rule for outgoing packets, not incoming packets because traffic from one server to another will be outgoing traffic.
  5. Answer D is correct. You can open Windows Firewall, enable Block All Connections to disable all incoming connections. Domain profiles are used when a computer is connected to a network where this computer's domain account resides. Answer A is incorrect because the Server service will stop file and printer sharing. Net Logon service prevents logins but does not prevent all necessary connections. Question C is because disabling the firewall will allow all traffic to pass through it.
  6. Answer D is correct. In order for changes to be common across the network when they appear and to reduce the administrative burden associated with upgrading routing tables, a routing protocol is required. Because OSPF cannot be used with unstable connections and OSPF is not available in Windows Server 2008, we must use RIPv2. Sentences A and C are wrong. Answer B is also wrong because ICMP is not a routing protocol.
  7. Answer B is correct. You need to use the context menu of the Routing Interface Protocol (RIP) button to add an interface to the RIP. When adding a routing protocol, the protocol will not be configured by default to use the interface, so you must recognize that interface and other interfaces, such as a LAN connection where the protocol can use. Answer A is incorrect because the script does not indicate that there is a DHCP server on the network. Answer C is incorrect because routing tables are built automatically. Answer D is incorrect because there is no need to remove static routes from the routing table.
  8. Answer A is correct. The correct answer is to enable split-horizon processing. You must select this option to ensure that any route known from a network is not sent as a RIP notification to the network. When this option is enabled, a router cannot advertise a route on the same connection it already knows. Sentences B, C and D do not help eliminate routing loops.
  9. Answer B is correct. You must change the user account name on each router to correspond to the name assigned to the demand-dial interface on the answering router. For a two-way demand-dial connection to work, the user account used for authentication must be the same as the name assigned to the demand-dial interface. The name of the demand-dial interface of the branch office router must be changed to SRV02. The name of the demand-dial interface in the main office router must be changed to SRV01. Answer D is incorrect because the user accounts used for remote authentication between demand-dial routers do not need to be the same. Questions A and C are incorrect because the demand-dial interface name on the calling router must be the same as the user account name on the calling router.
  10. Answer A is correct. You need to forward port 20 and 21 to FS1. Ports 20 and 21 are the ports used by FTP. Answer B is incorrect because port 80 and 443 are used by web server. Answer C is incorrect because port 25 is used for SMTP. Answer D is incorrect because port 3389 is used by Remote Desktop Protocol.
  11. Answer B is correct. By default, the firewall is launched and Teredo is locked. Answer A is wrong because you already have NAT. Answer C is wrong because there are many routes between branches. Answer D is wrong because the Teredo emulator is not.
4 ★ | 6 Vote