How to Set Up NAT on Windows Server 2012 R2
Network Address Translation (NAT) allows a Windows Server 2012 R2 machine to function as an internet gateway, translating private IP addresses from an internal network to a public IP address for outbound internet access. This is commonly used for branch offices, isolated lab networks, or scenarios where you need servers on a private subnet to access the internet without each requiring a public IP. Windows Server 2012 R2 supports NAT through two mechanisms: RRAS-based NAT (more powerful, supports port forwarding and filters) and Windows Firewall ICS-style NAT. This guide focuses on RRAS NAT, which is appropriate for production deployments.
Prerequisites
The NAT server requires at least two network interfaces: an external interface connected to the internet (or upstream network with internet access) and an internal interface connected to the private network segment. The internal interface should have a static IP address configured (typically 192.168.1.1 or similar). If clients will use the NAT server as their default gateway, configure their default gateway to point to the NAT server’s internal IP address. DHCP can be run on the NAT server’s internal interface or on a separate server. You need local Administrator rights. The Routing and Remote Access role must be installed.
Installing and Configuring RRAS for NAT
# Install the Remote Access role with routing support
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools
# Enable IP routing (prerequisite for NAT)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" `
-Name "IPEnableRouter" -Value 1 -Type DWord
# Configure RRAS with NAT
# This configures RRAS as a NAT router
Install-RemoteAccess -VpnType RoutingOnly
# Start RRAS
Start-Service RemoteAccess
Set-Service RemoteAccess -StartupType AutomaticConfiguring NAT via RRAS Management Console
The RRAS MMC console provides the most straightforward NAT configuration. Launch rrasmgmt.msc and configure NAT:
# In RRAS console (rrasmgmt.msc):
# 1. Expand the server > IPv4 > right-click "NAT" > New Interface
# 2. Select the EXTERNAL network interface > click OK
# 3. Select "Public interface connected to the Internet"
# 4. Check "Enable NAT on this interface"
# 5. Repeat for the internal interface:
# Select "Private interface connected to a private network"
# Via netsh (command-line configuration):
# Install NAT protocol
netsh routing ip nat install
# Configure external interface (replace "External" with your NIC name)
netsh routing ip nat add interface "External" full
# full = NAT enabled on this interface as external
# Configure internal interface
netsh routing ip nat add interface "Internal" private
# private = NAT enabled on this interface as internal (protected)Verifying Network Interface Configuration
# Verify interface names and IP addresses
Get-NetAdapter | Select-Object Name, InterfaceDescription, Status, MacAddress | Format-Table
# Verify IP configuration on both interfaces
Get-NetIPAddress | Select-Object InterfaceAlias, IPAddress, PrefixLength | Format-Table
# Ensure the external interface has internet connectivity
Test-NetConnection -ComputerName "8.8.8.8" -InformationLevel QuietConfiguring NAT Address Pools and Port Mapping
If the external interface has multiple public IPs, configure an address pool. For a single public IP (most common), the interface IP is used automatically:
# View NAT configuration
netsh routing ip nat show interface
# Add a public IP address pool for NAT (if you have multiple public IPs)
netsh routing ip nat add addressrange name="External" start=203.0.113.10 end=203.0.113.20 mask=255.255.255.0
# Add a port mapping (port forwarding) - expose an internal server to the internet
# Forward inbound TCP port 80 to internal web server at 192.168.1.50
netsh routing ip nat add portmapping name="External" proto=TCP publicip=0.0.0.0 `
publicport=80 privateip=192.168.1.50 privateport=80
# Forward RDP (TCP 3389) to an internal server
netsh routing ip nat add portmapping name="External" proto=TCP publicip=0.0.0.0 `
publicport=3389 privateip=192.168.1.100 privateport=3389
# Forward multiple external ports to different internal servers
netsh routing ip nat add portmapping name="External" proto=TCP publicip=0.0.0.0 `
publicport=8080 privateip=192.168.1.60 privateport=80Configuring DHCP on the Internal Interface for NAT Clients
NAT clients need IP addresses, default gateway, and DNS settings. Run a basic DHCP scope on the NAT server’s internal interface, or configure it on a separate DHCP server:
# Install DHCP server role
Install-WindowsFeature DHCP -IncludeManagementTools
Add-DhcpServerInDC -DnsName "NAT-Gateway.contoso.local" -IPAddress 192.168.1.1
# Create a DHCP scope for the internal network
Add-DhcpServerv4Scope -Name "NAT Internal Network" `
-StartRange 192.168.1.10 `
-EndRange 192.168.1.254 `
-SubnetMask 255.255.255.0 `
-State Active `
-LeaseDuration (New-TimeSpan -Days 1)
# Configure scope options (gateway, DNS, domain)
Set-DhcpServerv4OptionValue -ScopeId 192.168.1.0 `
-Router 192.168.1.1 `
-DnsServer 192.168.1.1,8.8.8.8 `
-DomainName "contoso.local"
# Exclude reserved addresses
Add-DhcpServerv4ExclusionRange -ScopeId 192.168.1.0 `
-StartRange 192.168.1.1 `
-EndRange 192.168.1.9Configuring DNS Forwarding
Install DNS on the NAT server or configure forwarding to an upstream DNS so clients can resolve internet names:
# Install DNS Server
Install-WindowsFeature DNS -IncludeManagementTools
# Configure DNS forwarders to upstream/internet DNS
Add-DnsServerForwarder -IPAddress "8.8.8.8","8.8.4.4"
# Enable recursion (allows DNS to resolve internet names)
Set-DnsServerRecursion -Enable $true
# Configure the internal interface to answer DNS queries
Set-DnsServerRecursionScope -Name "." -EnableRecursion $trueConfiguring Windows Firewall for NAT Server
The NAT server’s Windows Firewall should protect the internal network while allowing legitimate traffic:
# Ensure Windows Firewall is enabled on all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True
# Allow DHCP and DNS traffic from internal network
New-NetFirewallRule -DisplayName "Allow Internal DHCP" -Direction Inbound `
-Protocol UDP -LocalPort 67,68 -InterfaceAlias "Internal" -Action Allow
New-NetFirewallRule -DisplayName "Allow Internal DNS" -Direction Inbound `
-Protocol @("TCP","UDP") -LocalPort 53 -InterfaceAlias "Internal" -Action Allow
# Block direct management of NAT server from external interface
New-NetFirewallRule -DisplayName "Block External RDP" -Direction Inbound `
-Protocol TCP -LocalPort 3389 -InterfaceAlias "External" -Action Block
# Allow only established connections inbound on external interface
# (Windows Firewall handles stateful filtering automatically for NAT)Monitoring NAT Sessions
# View active NAT translations
netsh routing ip nat show mapping
# Monitor NAT statistics
netsh routing ip nat show global
# View NAT interface configuration
netsh routing ip nat show interface
# Check active connections through the NAT server
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} |
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort |
Format-Table -AutoSizeTesting NAT Connectivity
# From an internal client (with default gateway set to the NAT server's internal IP):
# Test internet connectivity
Test-NetConnection -ComputerName "8.8.8.8"
# Test DNS resolution
Resolve-DnsName "www.microsoft.com"
# Verify the public IP address being used for outbound NAT
Invoke-RestMethod -Uri "https://api.ipify.org?format=json" | Select-Object ip
# From the NAT server, check routing
tracert 8.8.8.8Summary
RRAS-based NAT on Windows Server 2012 R2 provides a capable, production-grade internet gateway solution for small to medium-sized networks. The deployment involves: installing the Remote Access and Routing role, enabling IP routing in the registry, configuring RRAS with NAT on the external and internal interfaces, optionally deploying DHCP and DNS on the same server for client configuration, and setting up port forwarding for any internal services that need to be accessible from the internet. The RRAS console and netsh provide complementary management interfaces for configuring and monitoring NAT translations, address pools, and port mappings.
