Results 1 to 6 of 6

Thread: ZA and NAT32

  1. #1
    borntorun Guest

    Default ZA and NAT32

    Does anybody have NAT32 successfully running on a computer protected by ZoneAlarm 10.0.246.000 (or any 10.0 version)? I'm having a terrible time getting the two to coexist!

    My system: I have a second PC hung off my primary PC, connected by a CAT5e crossover cable (running from ethernet adapter to ethernet adapter). Internet access to the primary PC is provided via wireless. NAT32 is described as a "Windows Software Router." It runs on the primary PC and allows the second PC to access the Internet through the cable and the primary PC's Internet connection.

    The technical specifics: On the primary PC, the ethernet adapter is assigned an IP address of 172.16.2.1. NAT32 takes that and creates a Private LAN with a gateway of 172.16.2.100. Clients then have to be assigned an IP address of 172.16.2.x (where x is a unique number other than 0, 1, 100 or 200). The ethernet adapter on my secondary PC is assigned 172.16.2.2, with the default gateway set to 172.16.2.100. The configuation is correct, because it works under certain circumstances (keep reading).

    I have ZoneAlarm running on both machines, but the problem exists entirely with the installation on the primary PC. If I disable that installation of ZoneAlarm, NAT32 works without conflict and I can access the Internet from the second PC with no difficulty. However, if I turn on ZoneAlarm on the primary PC, the second PC cannot access the Internet; something about ZoneAlarm is blocking it. I've tried every configuration I can think of to allow access, but nothing's worked.

    For example, I went into Application Control and customized the settings for NAT32 ("NAT32 Enhanced IP Router for Windows"). I checked both "This program may use other programs to access the Internet" and "Allow Program Interaction." I changed the Trust Level from "Ask" to "Trusted." That didn't fix the problem.

    I went to Firewall Settings and created a new Trusted zone for the secondary PC (172.16.2.2). Again, no change. I deleted that and set up a Trusted zone for an IP range (172.16.2.1 to 172.16.2.100) that included everything controlled by NAT32. Once again, no change.

    I even did all of the above at the same time. Still no change.

    I'm just about at my wit's end. Any suggestions? I would have thought this would be a straightforward problem to resolve, but it's completely eluding me!

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,283

    Default Re: ZA and NAT32

    Are the "network" listed under the ZA zones set as TRUSTED?
    Have you tried to reset the ZA settings and set the ZA program control to AUTO? Have you tried to fully remove ZA and re-install keeping all defaults?

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    borntorun Guest

    Default Re: ZA and NAT32

    Quote Originally Posted by fax View Post
    Are the "network" listed under the ZA zones set as TRUSTED?
    Whether it's set as Trusted or Public makes no difference.

    Have you tried to reset the ZA settings and set the ZA program control to AUTO?
    Yes. It made no difference.

    Have you tried to fully remove ZA and re-install keeping all defaults?
    Since your suggestion, yes. It also made no difference.

    However, I've continued to explore different settings and I think I've gotten a lot closer to isolating the problem. I found that if I turn Application Control off (essentially giving all programs, including NAT32, free rein), it makes no difference. But if I turn off the Advanced Firewall, that makes all the difference! Then I can access the Internet from the secondary PC. That seems to indicate the problem is more traffic-related than program-related.

    Furthermore, the security setting for the Trusted Zone has no effect on the problem, even when the NAT32 network is placed in the Trusted Zone. But the security setting for the Public Zone does change things. Dropping the Public Zone setting down to Medium allows Internet access for the secondary PC -- regardless of which zone the NAT32 network is in! So, more specifically, the problem seems to be traffic between the secondary PC and the Public Zone (i.e., the Internet).

    Of course, I don't want to run my computer all the time with the Public Zone set to Medium security, as that will put me at a greater risk of infection. The obvious solution is to figure out the relevant difference between the Medium and High settings and fine-tune the High setting only as much as necessary to allow Internet access for the secondary PC.

    That led me to the "Public Zone Security Settings" under "Advanced Settings" for the Advanced Firewall. There, you can control DNS, DHCP, ICMP, IGMP, UDP, TCP and NetBIOS connections for both the High and Medium security settings. To make a long story short, allowing connections for ICMP, IGMP, DNS and DHCP on the High setting made no difference; the Internet still couldn't be accessed from the secondary PC. On the other hand, if I had Public Zone security set to Medium (which allowed Internet access on the secondary PC), blocking NetBIOS, ICMP and IGMP connections didn't stop Internet access. My conclusion is that the problem, while traffic-related, isn't with any of DNS, DHCP, ICMP, IGMP or NetBIOS connections.

    Which means it's almost got to be TCP-related, and there are ports that need to be allowed connections in order for the secondary PC to access the Internet. My dilemma is that, by default, the High security setting blocks TCP on all ports, while the Medium setting allows TCP on all ports. I can open up only specific ports under the High setting, but I have to know which ports -- and I don't. How do I determine precisely which ports are used when the secondary PC accesses the Internet through NAT32? Is there a third-party port use logger of some sort that I can install, which will show me that? Any suggestions would be most welcomed!

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,283

    Default Re: ZA and NAT32

    No idea from side, sorry. Hopefully some other users here have a bright solution to propose.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    Join Date
    Dec 2002
    Location
    San Carlos, California
    Posts
    1,636

    Default Re: ZA and NAT32

    This sounds similar to the old windows ICS.

    In version 10 we stopped supporting ICS types of setups.

    We suggest in this day and age get yourself a really inexpensive router that has NAT built in and that will resolve all these issues of a software nat.

    Forum Moderator
    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  6. #6
    borntorun Guest

    Default Re: ZA and NAT32

    Quote Originally Posted by Forum-Moderator View Post
    This sounds similar to the old windows ICS.
    Similar, but far better and infinitely more flexible.

    We suggest in this day and age get yourself a really inexpensive router that has NAT built in and that will resolve all these issues of a software nat.
    Unfortunately, because of the peculiarities of the network situation here, a router won't resolve things. A dedicated generic wireless access point might, but those typically cost more than I want to throw at the problem.

    Still, I think I've figured out a hardware-based solution that's fairly cheap and doesn't involve extensive ZoneAlarm configuration, and I should be implementing it in a couple of days. Thanks for the input!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •