Real NAT on Windows XP

Follow these steps to have your Windows XP to work as a NAT but without the restrictions of ICS (Internet Connection Sharing)


  1. To have two network cards:
    1. NIC1: One connected to the internal network (any network not only
    2. NIC2: The other one connected to the Internet (or other network you want to connect to)
  2. To have administrative access to stop/start some services.


  1. Disable ICS on both NICs.
    1. Right-click on NIC -> Properties -> Advanced. Make sure Allow other network users to connect through this computer’s Internet connection is unchecked.
  2. Enable Routing and Remote Access Service.
    1. Control Panel -> Administrative Tools -> Services. Enable Routing and Remote Access
  3. Disable Firewall/ICS Service (which might take precedence over step 1)
    1. Control Panel -> Administrative Tools -> Services. Disable Windows Firewall/Internet Connection Sharing (ICS)
  4. Configure the NICs:
    1. Only 1 should have a gateway (In my example is NIC2). Disable the gateway on the other NIC (NIC1)
    2. Add the NAT configuration.
      – You still need to find out the name of your network cards. Here are presenting them as NIC1 and NIC2. In reality they could be something like “Local Area Connection”
      type the command netsh

      pushd routing ip nat
      set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR
      add interface name="NIC2" mode=FULL
      add interface name="NIC1" mode=PRIVATE

And that’s it!. Your users on the private network can go to the internet using NAT, just make sure they can route their packets through this configured PC.



Note1: This solution was compiled from various sources that were providing me hints about the full solution, but none of them provided all the steps.

Note2: I am pretty sure the steps can be changed, but I have not tried other ways and this one worked for me 🙂

Thank you for reading this post. You can now Read Comments (18) or Leave A Trackback.

18 Responses to “Real NAT on Windows XP

  • 1
    August 5th, 2008 17:17

    thanks for posting this up!

  • 2
    January 7th, 2009 10:56

    I’ve really appreciate your post! Extremely helpful.
    Thanks again

  • 3
    bilou gateux
    January 21st, 2009 08:27

    some steps can be done from the command line:
    ::# stop “Windows Firewall/Internet Connection Sharing (ICS)” service
    sc stop SharedAccess
    ::# enable “Routing and Remote Access” service
    sc config RemoteAccess start= auto
    ::# start “Routing and Remote Access” service
    sc start RemoteAccess

    missing end of line (at least with my web browser):
    set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR

  • 4
    bilou gateux
    January 21st, 2009 09:02

    You can use NETSH to apply the whole NAT configuration simply by importing a file.

    netsh -f NATcfg.txt

    # ———————————-
    # NAT configuration
    # ———————————-
    pushd routing ip nat
    set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR

    #NAT Configuration For Interface Local Area Connection
    add interface name=”NIC2″ mode=FULL

    #NAT Configuration For Interface Local Area Connection 2
    add interface name=”NIC1″ mode=PRIVATE


    [Nano]: Thank you for your comments

  • 5
    February 3rd, 2009 14:02

    Does anyone know if you can use netsh to static NAT? … based on the commands (addressmapping) it would appear so. Among many attempts, here is the current set-up:

    add interface name=”Local Area Connection 2″ mode=FULL
    add addressrange name=”Local Area Connection 2″ start= end= mask=
    add addressmapping name=”Local Area Connection 2″ public= private= inboundsessions=enable

    with the intention that a packet inbound to this interface with a destIP= be NAT’d to However, it does not do anything! Simply routes the packet as if NAT is not defined. Thanks.

  • 6
    Ayan Debnath
    March 22nd, 2009 02:53

    Your tutorial is just awesome.

    I am just worried in one place –
    The Server left without any firewall.

    Can we do anything to secure the Server a little bit more ?

    [Response] Interesting question. I will guess that you will have to play directly with the routing rules and filters. I will guess that the firewall at the very end does that, converts the selections from the GUI into rules on the routing commands. Good luck on that.

  • 7
    May 2nd, 2009 11:48

    Thanks for the good explanation!
    I have a very strange problem. I use the NAT on a windows XP laptop with wireless (internet) and wired (local) NICS like you described above. I also configure a ubuntu 8.10 client to use this laptop as router. ping works perfect, no pck loss. in firefox, google works (loading + searching) but all other websites fail to load! Also, the package managers always seems to block somewhere.
    Any Ideas?
    Thanks a lot…

  • 8
    May 31st, 2009 03:11

    Thank you! This tutorial is helpful.
    But now that I’ve set up my computer to be a NAT, can i make it a Port Address Translator? I mean I’ve made these settings, (FULL=”Local Area Connection”; PRIVATE=”Wireless Network Connection”), and i can ping on the internet from any host in the private network (so the level 3 config is excellent). But if I’m trying to browse the internet, or use any application, it doesn’t work. It must be a port forwarding problem. I have tried other tutorials regarding this problem, but they are ambiguous and I’m still having the same problem.
    Please, help!

  • 9
    Rds fiberlink.... la 2 pc in casa - Computer Games Forum
    June 19th, 2009 09:45

    […] NAT. Nano Documet | Real NAT on Windows XP __________________ It has been said that the contents of the rules sections of most […]

  • 10
    Stefan Rovetto
    September 3rd, 2009 13:23

    (en)Thanks for tipps. I made little script collection about ICS, NAT and dial-up.
    (ge)Vielen Dank fĂĽr die Tipps. Ich habe ein paar Scripts geschrieben rund um die Themen ICS, NAT und Dial-up.

    Enjoy X-INetConnect 2.0 ->
    Kind regard, steve

  • 11
    October 22nd, 2009 11:05

    Thanks for the explanation.

    When I type command “set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR”
    ^ The following command was not found,
    What should I?

  • 12
    October 23rd, 2009 05:56

    i have some problem after doing that. my network connection always disapear when starting up windows

  • 13
    May 8th, 2010 08:00

    Response to Chris February 3rd, 2009 14:02.

    You will need to add portmapping also

  • 14
    June 11th, 2010 02:35

    Thanks for the guide.
    I am looking for a solutions for doing this on a ppp interface. I tried giving the name of the ppp (pppoe/dsl) connection as the value for parameter name, but yielded an “interface not present” message.
    Apparently only physical interfaces are supported? But as the ics can work with ppp interfaces it should be possible to configure this somehow, i’d guess.

  • 15
    How to set up NAT Routing on Windows XP | PARMAJA
    September 19th, 2010 16:56

    […] […]

  • 16
    October 12th, 2010 01:32

    Thank you for this very helpful tutorial.

  • 17
    Sharing internet connection on Windows XP with 2 NIC’s and seperate networks - Admins Goodies
    January 9th, 2012 03:30

    […] on this feature or the numerous third-party walkthroughs on “NAT with Windows RAS” like this one which you’ll find by querying the search engine of your […]

  • 18
    King B
    February 23rd, 2012 08:47

    Routing and remote access service doesnot start. Err code : 711…..Kindly help

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.