Help Pages Help PagesHOW TO configure NAT32 in the presence of Windows XP (SP2) Internet Connection Sharing.
The NAT32 Interface Selection dialog box lists all Network adapters
known to Windows. When an adapter name is preceded by a grey icon, NAT32
has detected a potential problem with it and displays a
red warning message in the
Adapter Details field. Such adapters should normally not be
selected for use by NAT32, unless they are USB adapters you wish to connect
later, or they are ICS adapters, in which case you should read the following
instructions.
When Windows Internet Connection Sharing is enabled, the NAT32 Interface Selection dialog box will detect all ICS adapters and display a red warning message for each of them in the Adapter Details field. In this example, the system has several adapters, three of which are shown as having problems. The USB adapter is simply not present in the system, whereas the Realtek adapter is shown as being a Windows ICS Private Adapter and has the standard IP address 192.168.0.1, even though you originally configured it to use 192.168.4.2. The NDISWANIP connection OfficeVPN is the Windows ICS Internet Adapter in this example. If NAT32 is to share the same Internet connection which ICS is sharing, a problem arises, because the Windows ICS driver suppresses NAT32's traffic to the private machines. One solution to this problem is to use a different private LAN adapter for NAT32. That way, both Windows ICS and NAT32 can share the same Internet connection, but each uses a different private LAN adapter for communication with the private machines. If NAT32 is sharing a different Internet connection (i.e. any Internet connection which is not being shared by Windows ICS), then all is well, and a second private LAN adapter is not needed. The NAT32 private interface can then be configured to use either 192.168.0.100 or (in this example) 192.168.4.100. If you have Windows ICS and NAT32 running at the same time, and each is sharing a different connection, you could configure some of your private machines to use the Windows ICS gateway address (192.168.0.1), and other private machines to use the NAT32 gateway address (either 192.168.4.100 or 192.168.0.100). However, because NAT32 can already share multiple Internet connections simultaneously, and dynamically allocate bandwidth between them, and select an Internet interface based on the source address of the private traffic, a better solution would be to turn off Windows ICS and let NAT32 do the sharing instead. Windows XP has a built-in firewall (ICF) which blocks incoming traffic at the Winsock layer only. It does not block outgoing traffic nor does it block NAT32's NDIS3PKT traffic. If you are using this firewall, it is recommended that you leave it enabled on all Internet connections at all times. The ICF checkbox is ticked if the firewall is present, and the icf command (see below) can be used to list all firewalled connections. Note that Windows ICF gives only limited protection, as any application can send traffic to the Internet, and any application with NDIS3-level access (e.g. trojans) can send and receive packets freely. The Windows XP SP2 Firewall supports the concept of Authorized Applications. It is recommended that you set the Authorize NAT32 checkbox, if only to avoid a pop-up warning when NAT32 starts. |
NAT32 ICS Commands
NAT32 ICF Commands