NAT + Port Forward on Windows XP

[Guest]

Hello,

I have configured NAT on Windows XP box by enabling IPEnableRouter in
registry. Everything worked like a sharm. Now I want to forward some ports to
one host on internal network. I know that I need ICS for that. So I enabled
ICS and forwarded some ports and it worked too. The problem is, that just
after I enabled ICS, NAT doesn't work anymore. My question is how can I make
NAT AND ICS work together?

 

[Steve Winograd [MVP]]

Hello,

I have configured NAT on Windows XP box by enabling IPEnableRouter in
registry. Everything worked like a sharm. Now I want to forward some ports to
one host on internal network. I know that I need ICS for that. So I enabled
ICS and forwarded some ports and it worked too. The problem is, that just
after I enabled ICS, NAT doesn't work anymore. My question is how can I make
NAT AND ICS work together?

I'd like to help, but I don't have enough information. Please answer
these questions, and include any other information you can think of
that would help people understand the situation:

1. What indicates to you that ICS breaks NAT? What are you doing that
works when ICS isn't enabled? What's different when you enable ICS?
If there are error messages, what do they say?

2. How many network adapters does the Windows XP box have? What is
each one connected to? What is the IP address and subnet mask of each
one?

3. Which network adapter have you told ICS to use as the Internet
connection?

4. Which network adapter have you told ICS to use as the home network
connection? ICS automatically changes that connection's IP address to
192.168.0.1, with a subnet mask of 255.255.255.0.

I think that you and I use different terminology, and I don't want it
to prevent me from understanding your question. As I see it:

1. The IPEnableRouter registry key enables IP forwarding in Windows
XP. IP forwarding causes packets that arrive at one network interface
to be repeated on other network interfaces, allowing an XP computer to
route traffic between multiple subnets. Is that what you mean by
"NAT".

2. NAT (Network Address Translation) is something different. NAT lets
a computer (or broadband router) share a single Internet connection
and a single public IP address between multiple computers. For
details, see these sites:

http://en.wikipedia.org/wiki/Network_address_translation
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/nattrnsv.mspx

XP's ICS (Internet Connection Sharing) is a NAT program.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Guest]

I'd like to help, but I don't have enough information. Please answer
these questions, and include any other information you can think of
that would help people understand the situation:

1. What indicates to you that ICS breaks NAT? What are you doing that
works when ICS isn't enabled? What's different when you enable ICS?
If there are error messages, what do they say?

2. How many network adapters does the Windows XP box have? What is
each one connected to? What is the IP address and subnet mask of each
one?

OK, my network topology is as follows. I have gateway hardware box with IP
address 10.1.1.1. I configured it to route 192.168.100.121 address through
Windows XP box (which has IP address 10.1.1.225).

Windows XP box has two network interfaces:
First: ip 10.1.1.225, default gw 10.1.1.1, subnet 255.255.255.0
Second: ip 192.168.100.81, subnet 255.255.255.0

When I enable IPEnableRouter in windows xp box, I can ping to
192.168.100.121 (it is a computer on a second network) from other computer on
a network with IP addresses of 10.1.1.x (for example from 10.1.1.121). And
thats fine.

BUT, if I enabled ICS, I can't ping from 10.1.1.121 to 192.168.100.121
anymore.

3. Which network adapter have you told ICS to use as the Internet
connection?

The first one with IP address 10.1.1.225

4. Which network adapter have you told ICS to use as the home network
connection? ICS automatically changes that connection's IP address to
192.168.0.1, with a subnet mask of 255.255.255.0.

Yeah, I know that. But after that I manually changed back second interface
address to 192.168.100.81

I think that you and I use different terminology, and I don't want it
to prevent me from understanding your question. As I see it:

1. The IPEnableRouter registry key enables IP forwarding in Windows
XP. IP forwarding causes packets that arrive at one network interface
to be repeated on other network interfaces, allowing an XP computer to
route traffic between multiple subnets. Is that what you mean by
"NAT".

Yeah, I ment IP forwarding then, not NAT. So I suppose I want IP forwarding
to work between interfaces AND I want to forward couple of ports (for example
10.1.1.225 24868 to 192.168.100.121 4868)

 

[Steve Winograd [MVP]]

OK, my network topology is as follows. I have gateway hardware box with IP
address 10.1.1.1. I configured it to route 192.168.100.121 address through
Windows XP box (which has IP address 10.1.1.225).

Windows XP box has two network interfaces:
First: ip 10.1.1.225, default gw 10.1.1.1, subnet 255.255.255.0
Second: ip 192.168.100.81, subnet 255.255.255.0

When I enable IPEnableRouter in windows xp box, I can ping to
192.168.100.121 (it is a computer on a second network) from other computer on
a network with IP addresses of 10.1.1.x (for example from 10.1.1.121). And
thats fine.

BUT, if I enabled ICS, I can't ping from 10.1.1.121 to 192.168.100.121
anymore.


The first one with IP address 10.1.1.225


Yeah, I know that. But after that I manually changed back second interface
address to 192.168.100.81


Yeah, I ment IP forwarding then, not NAT. So I suppose I want IP forwarding
to work between interfaces AND I want to forward couple of ports (for example
10.1.1.225 24868 to 192.168.100.121 4868)

You're welcome.

You've changed the IP address range that ICS assigned to the second
interface. ICS doesn't support using any range except 192.168.0.x,
and I've seen strange things happen when that's changed. I don't
think that what you want to do is possible using ICS. Disable ICS,
then make sure that IPEnableRouter is still enabled.

I also don't think that you need to use ICS. If I understand your
setup, you can create exceptions in the Windows Firewall to forward
the desired ports. I haven't tried this, but here's how I think it
would work with the Windows Firewall enabled on the first network
adapter:

1. Go to Control Panel > Security Center > Windows Firewall.

2. Set the firewall to "On", and un-check "Don't allow exceptions".

3. Click the Exceptions tab.

4. Click "Add Port" and define the desired incoming port..

5. Click Advanced.

6. Click the network connection that uses the first adapter and click
Settings.

7. Click Add and create a service definition, specifying the desired
computer name/address and port numbers.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Guest]

1. Go to Control Panel > Security Center > Windows Firewall.

2. Set the firewall to "On", and un-check "Don't allow exceptions".

3. Click the Exceptions tab.

4. Click "Add Port" and define the desired incoming port..

5. Click Advanced.

6. Click the network connection that uses the first adapter and click
Settings.

7. Click Add and create a service definition, specifying the desired
computer name/address and port numbers.

I tried that before I began fidling with ICS, but it wouldn't work. In
Advanced I get exactly the same window as in ICS, so I suppose it doesn't
work until ICS is enabled, and I think this ->
http://support.microsoft.com/kb/297942/en-us KB article just prooves that I
am right.

Any other thoughts are appreciated.

 

[Steve Winograd [MVP]]

I tried that before I began fidling with ICS, but it wouldn't work. In
Advanced I get exactly the same window as in ICS, so I suppose it doesn't
work until ICS is enabled, and I think this ->
http://support.microsoft.com/kb/297942/en-us KB article just prooves that I
am right.

Any other thoughts are appreciated.

I think you're right about what that article says. As I said, I
haven't tired the configuration that I suggested.

Can you change the 192.168.100.x network to use 192.168.0.x so that
it's compatible with ICS?
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Guest]

I think you're right about what that article says. As I said, I
haven't tired the configuration that I suggested.

Can you change the 192.168.100.x network to use 192.168.0.x so that
it's compatible with ICS?

No, because I already have one. Moreover network 192.168.100.x has half a
million devices with half a million software on them, so it must not be
bothered.

BTW, I tried forwarding ports through netsh, and it behaves the same as ICS.
Just after I install NAT (netsh routing ip nat install), IP forwarding
between interfaces doesn't work.

 

[Steve Winograd [MVP]]

No, because I already have one. Moreover network 192.168.100.x has half a
million devices with half a million software on them, so it must not be
bothered.

BTW, I tried forwarding ports through netsh, and it behaves the same as ICS.
Just after I install NAT (netsh routing ip nat install), IP forwarding
between interfaces doesn't work.

I'm sorry, but I'm out of ideas. I don't know enough about your
network and its requirements to suggest anything else. :-(