Re: Think outside the GUI challenge #1

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 29 Dec 2005 11:05:48 -0800

Just realized a C&P error in the final illustration.
This is the corrected version:

When we add the new route definition, Windows now understands that some 
internal routing is required and forwards the packet this way:
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|    (internal)    |   (internal)    |    127.0.0.1    |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|      North       |      bridge     |    10.0.0.1     |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|


--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Thursday, December 29, 2005 10:57 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Think outside the GUI challenge #1

http://www.ISAserver.org

I knew I'd get Tom in on this one (he loves a good brain twister).

#1 - closer.  Unless instructed otherwise, Windows always sends originating 
traffic using the default IP (123.123.123.123) as the source address in the IP 
header.  Since the bridge doesn't understand how to respond to what it sees as 
non-local traffic, it simply drops it.  The part of the routing command that 
makes it work is specifying the new IP (10.0.0.1) as the gateway for this 
route.  This causes Windows to "route internally" and results in the bridge 
seeing the 10.0.0.1 IP as the source IP.
#2 - almost...  RRAS maintains a separate routing table that affects (but is 
not affected by) the TCP/IP routing table.  Thus, when RRAS is installed, it is 
usually more correct to enter manual routes in the RRAS routing table.  This 
depends on how you want Windows & RRAS to behave with regard to "special" 
traffic
#3 - dingdingding!
#4 - close enough...

To illustrate the scenario...
For simplicity's sake, we'll use ISA-local traffic for this demo.
The original packet headers are built as (simplified):
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|    (internal)    |   (internal)    |    127.0.0.1    |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

Because Windows has no clear instructions on how to handle this destination IP, 
internal logic sends it as:
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|      North       | default gateway | 123.123.123.123 |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

Adding the new IP address only instructs Windows that this is now a local 
subnet, creating the following headers:
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|      North       |      bridge     | 123.123.123.123 |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

When we add the new route definition, Windows now understands that some 
internal routing is required and forwards the packet this way:
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|     (local)      |     (local)     |    127.0.0.1    |    10.0.0.1     |
|------------------|-----------------|-----------------|-----------------|

|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|      North       |      bridge     |    10.0.0.1     |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

Note that you can't see these internal routing changes happening via NetMon or 
any other packet sniffer because it's occuring in what's known as "memory 
mapped networking".

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, December 29, 2005 10:01 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Think outside the GUI challenge #1

http://www.ISAserver.org

OK

1. Because it will send it to the default gateway if we don't do this, and that 
won't work.
2. Still dunno -- undocumented RRAS horkage?
3. route -p add 10.0.0.1 mask 255.255.255.255 10.0.0.1
4. Move off

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Thursday, December 29, 2005 11:48 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: Think outside the GUI challenge #1
> 
> http://www.ISAserver.org
> 
> Very close!
> 1. sorry; incorrect
> 2. acceptable, but not very informative :0>
> 3. that'll break it again (if the utilities even allow it); 
> what else must be changed?
> 4. can be "sweetened"
> 
> 
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Thursday, December 29, 2005 9:36 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: Think outside the GUI challenge #1
> 
> http://www.ISAserver.org
> 
> 1. Because 10.0.0.0/8 is already taken
> 2. Dunno
> 3. Use 255.255.255.255
> 4. Can say here, there are ladies reading.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
>  
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > Sent: Thursday, December 29, 2005 11:13 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: Think outside the GUI challenge #1
> > 
> > http://www.ISAserver.org
> > 
> > I smell an xNIX geek among us.
> > :-p
> > 
> > Correct.  The actual command lines would be:
> > - netsh int ip add addr north 10.0.0.1 255.255.255.0
> > 
> > (without RRAS)
> > - route -p add 10.0.0.0 mask 255.255.255.0 10.0.0.1
> > 
> > (with RRAS)
> > - netsh routing ip add persistentroute dest=10.0.0.0 
> > mask=255.255.255.0 name="North" nhop=10.0.0.1 proto=NONDOD    
> >  preference=0 metric=1 view=both
> > - netsh routing ip set persistentroute dest=10.0.0.0 
> > mask=255.255.255.0 name="North" nhop=10.0.0.1 proto=NONDOD    
> >  preference=0 metric=1 view=both
> > 
> > ..now, for the extra points questions:
> > Ep1 - why doesn't it work without adding the route commands 
> > *as specified*?
> > Ep2 - why are the routing table command different with & 
> without RRAS?
> > Ep3 - how would you modify the commands to restrict the 
> > acceptable IP range?
> > Ep4 - what does my daughter's phone number spell?
> > 
> > --------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > --------------------------------------------
> > 
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] 
> > Sent: Thursday, December 29, 2005 7:34 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: Think outside the GUI challenge #1
> > 
> > http://www.ISAserver.org
> > 
> > #1?Fbind static ip 10.0.0.X/24 at CLI
> >     also add a static route 10.0.0.0/24 gateway 10.0.0.X/24 at CLI
> > 
> > > Remember; this is the "out of the GUI" challenge.
> > > How would you accomplish item 1 from the command line?
> > > 
> > > Also, it still won't work (incomplete).
> > > What other non-ISA, non-GUI steps must be taken?
> > > 
> > > #2 answered correctly.
> > > 
> > > --------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > --------------------------------------------
> > > 
> > > -----Original Message-----
> > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] 
> > > Sent: Wednesday, December 28, 2005 11:07 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Re: Think outside the GUI challenge #1
> > > 
> > > http://www.ISAserver.org
> > > 
> > > 
> > > 1) Bind a additional static IP 10.0.0.X/24 to ISA 
> External Interface
> > > 2) In case of dynamic IP, static IP can't assign as per 1)
> > > 
> > > 
> > > > Merry Xmas & Happy New Year!
> > > > 
> > > > In the spirit of giving, here's a "think outside the GUI" 
> > challenge
> > > for
> > > > you.
> > > >  
> > > > Scenario:
> > > > - ISA is connected directly to the Internet via a 
> "manageable" DSL
> > > > bridge
> > > > - ISA uses 123.123.123.123/24 static external IP; DG = 
> > 123.123.123.1
> > > > - Internal LAN uses 10.9.8.x/24
> > > > - DSL bridge has unchangeable 10.0.0.2/24 internal IP
> > > > - DSL bridge offers web-based management on that internal IP
> > > > 
> > > >         Internet
> > > >            |
> > > >       DSL Bridge
> > > >          |- 10.0.0.2/24
> > > >            |- 123.123.123.123/24
> > > >         ISA
> > > >          |- 10.9.8.x/24
> > > >           LAN
> > > > 
> > > > Note:
> > > > - The DSL bridge internal IP is irrelevant to normal 
> > Internet access.
> > > > Because it's operating in "bridge" (as opposed to NAT) 
> mode, it's
> > > > effectively transparent to the ISA for Internet traffic.
> > > > 
> > > > Challenges:
> > > > 1. Allow either ISA-local or ISA-internal to access the 
> > DSL bridge web
> > > > interface
> > > > 2. Explain why the correct solution is impossible to 
> > implement if the
> > > > ISP provides a dynamic IP.
> > > > 
> > > > Hint:
> > > > - The core of the solution has nothing whatsoever to do with ISA
> > > itself.
> > > > 
> > > > --------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > --------------------------------------------
> > > > 
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org 
> > Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: jim@xxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---