I’m in the process of building a windows network for my small business
and need some help setting it up.  I would like for my employee
workstations to have 10.x.x.x IP addresses, Internet access and to be
inaccessible to the outside world.  I have enclosed a small diagram of
the way I would like to setup this network
(http://www.nonprofithelper.com/Network.jpg ).  If I understand
correctly one, or more, of my servers need to have two network cards,
one with an outside IP address and one with a 10.x.x.x address.  Then
my workstations would use that server’s 10.x.x.x address as the
gateway for Internet access.  I’m pretty clear on everything except on
how the 10.x.x.x addresses are used or get created/maintained.  So my
question is how do the 10.x.x.x address work and how to I set up my
servers and workstations to use them (including what subnet mask to
use and why).  I would appreciate any help you can offer.  Have a
great day and thank you for reading my question.

Greetings!

I am going to make the assumption that you wish to remain a full
Windows network, and not introduce a Unix machine in the mix.

I am also going to assume that you will be using the latest versions
of the OS, Windows 2000 for the servers and Windows XP for the
clients.

If either of these assumptions are incorrect, please ask for a
clarification and I will update the answer.

Now, the basic technology you will need to have one external IP
address and many internal reserved addresses (the 10-dot network
addresses) is called Network Address Translation (NAT).

NAT is a standard feature of Windows 2000 Server's Routing and Remote
Access Service (RRAS) and Win2K Professional's Internet Connection
Sharing (ICS) component that lets an Internet-connected host act as an
Internet gateway for internal LAN clients. NAT translates clients'
internal network IP addresses into the appropriate address on the
NAT-enabled gateway device and protects internal client IP addresses
by making them inaccessible to Internet hosts.

You are correct in thinking you will need a machine with two network
cards, one connected to the outside, and one connected to the inside.

You can enable NAT from the Routing and Remote Access window on Win2K.
 Full details of the exact process are available from the article
"Windows 2000's Network Address Translation" by Zubair Alexander as
published in the February, 2000 issue of Windows and .Net Magazine,
and available here:
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7882

On the workstations, you will simply need to have the 'Obtain an IP
Address Dynamically' selected in the TCP/IP configuration dialog. 
This will cause the workstations to dynamically search your internal
network for a DHCP server (the NAT server) and get an IP address from
there.  Or, you can manually assign the IP addresses to each
workstation in the same control panel.

Directions and screen shots for this under Windows XP are found in the
article, 'Windows XP Network Protocols', published by
practicallynetworked.com at:
http://www.practicallynetworked.com/sharing/xp/network_protocols.htm

Regarding the subnet mask, you generally leave that blank if using
DHCP to obtain addresses for the workstations; the DHCP server (the
NAT server) will assign that along with the IP address.  Subnetting is
generally only used in much larger networks to group and divide
network segments for logical management.  You can read up on
subnetting at these resources:

LearnToSubnet.com, a free lecture based presentation of IP addresses
and subnetting
http://www.learntosubnet.com/

Also, SubnetOnline.com has a printed tutorail about IP addressing and
subnetting, along with great calculators to help figure subnets.
http://www.subnetonline.com/

Again, tho, I reinforce the notion that you do not need to worry about
subnetting for smaller networks - less than 254 machines will only
occupy one class-C subnet.

I hope this has answered your question; if you need further
information, please post a clarification request.


Search Strategy:

windows 2000 nat
://www.google.com/search?q=windows+2000+nat&sa=Google+Search

windows XP network setup
://www.google.com/search?q=windows+XP+network+setup&sa=Google+Search

how to subnet
://www.google.com/search?q=how+to+subnet&sa=Google+Search




Further Reading:

Understanding NAT, Sean Daily in Windows & .Net Magazine, August 14,
2002
http://www.winnetmag.com/Articles/Print.cfm?ArticleID=9749

---

Request for Answer Clarification by johngl-ga on 03 Apr 2003 20:06 PST

I used the NAT service that the article you posted suggested and am
still having some problems.  I don’t think I’m clear on a few things. 
I have one Network card with the following settings.

IP 208.48.X.X
Subnet  255.255.X.X
Gateway 208.48.X.X

I set this, when asked by the setup wizard, as the network card to get
onto the Internet with.


The second network card is set with:

IP 192.168.0.1
Subnet 255.255.255.0
Gateway (Blank)

I then changed one of my workstations to get IP from DHCP server (as
said in the article).  I did all of this but it’s still not working. 
What could I be doing wrong?  Thanks for your time.

---

Clarification of Answer by wengland-ga on 07 Apr 2003 08:49 PDT

Greetings!

Ok - we're going to have to go back and forth on this a bit.  Please
ask for clarification of this answer to answer my questions.

First, are you getting any errors or other indications that anything
is wrong when  you attempt to connect to the internet via the
workstation?

Second, are you able to connect to the internet via the NAT server?

Third, does the workstation obtain an IP address in the range you
specified? What are the settings shown by IPConfig or winipcfg?  if
you attemt to release and renew the IP address on the workstation with
IPConfig or winipcfg, what messages or errors do you get?

Fourth, are you able to connect via the network from the workstation
to any other shared resources on your internal network, like file
shares?  An easy test is to share out a folder on the NAT server with
full access permissions and see if you can map that folder from the
workstation.  I would suggest trying this with the NAT server
disconneced from the Internet.

Fifth, are you able to ping the NAT server from the workstation? 
Bring up a command prompt and type 'ping 192.168.0.1 '.  What is the
result?

Thank you for the answers to these questions.  This will help to
narrow down the nature of the problem.

Thank you,

wengland-ga

johngl-ga -- have you had a chance to review my questions?  I would
like to help you get this working.

Thanks,

Wengland-ga