Lemme see if I can find it. I had an ISA dev show the really-hard-to-locate reference one day when I was building Winsocktool, but I've since lost it. It sounds like a neat feature for a packet sniffer though, doesn't it? -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, December 29, 2005 11:13 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Think outside the GUI challenge #1 http://www.ISAserver.org VERY COOL. Any refs? I checked http://search.microsoft.com/results.aspx?q=%22memory+mapped+networking%22&l=1&mkt=en-US&FORM=QBME1 by no dice. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Thursday, December 29, 2005 12:57 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: Think outside the GUI challenge #1 > > http://www.ISAserver.org > > I knew I'd get Tom in on this one (he loves a good brain twister). > > #1 - closer. Unless instructed otherwise, Windows always > sends originating traffic using the default IP > (123.123.123.123) as the source address in the IP header. > Since the bridge doesn't understand how to respond to what it > sees as non-local traffic, it simply drops it. The part of > the routing command that makes it work is specifying the new > IP (10.0.0.1) as the gateway for this route. This causes > Windows to "route internally" and results in the bridge > seeing the 10.0.0.1 IP as the source IP. > #2 - almost... RRAS maintains a separate routing table that > affects (but is not affected by) the TCP/IP routing table. > Thus, when RRAS is installed, it is usually more correct to > enter manual routes in the RRAS routing table. This depends > on how you want Windows & RRAS to behave with regard to > "special" traffic > #3 - dingdingding! > #4 - close enough... > > To illustrate the scenario... > For simplicity's sake, we'll use ISA-local traffic for this demo. > The original packet headers are built as (simplified): > |------------------------------------|------------------------ > -----------| > | Ethernet Header | IP Header > | > |------------------------------------|------------------------ > -----------| > | source MAC | destination MAC | source IP | > destination IP | > |------------------|-----------------|-----------------|------ > -----------| > | (internal) | (internal) | 127.0.0.1 | > 10.0.0.2 | > |------------------|-----------------|-----------------|------ > -----------| > > Because Windows has no clear instructions on how to handle > this destination IP, internal logic sends it as: > |------------------------------------|------------------------ > -----------| > | Ethernet Header | IP Header > | > |------------------------------------|------------------------ > -----------| > | source MAC | destination MAC | source IP | > destination IP | > |------------------|-----------------|-----------------|------ > -----------| > | North | default gateway | 123.123.123.123 | > 10.0.0.2 | > |------------------|-----------------|-----------------|------ > -----------| > > Adding the new IP address only instructs Windows that this is > now a local subnet, creating the following headers: > |------------------------------------|------------------------ > -----------| > | Ethernet Header | IP Header > | > |------------------------------------|------------------------ > -----------| > | source MAC | destination MAC | source IP | > destination IP | > |------------------|-----------------|-----------------|------ > -----------| > | North | bridge | 123.123.123.123 | > 10.0.0.2 | > |------------------|-----------------|-----------------|------ > -----------| > > When we add the new route definition, Windows now understands > that some internal routing is required and forwards the > packet this way: > |------------------------------------|------------------------ > -----------| > | Ethernet Header | IP Header > | > |------------------------------------|------------------------ > -----------| > | source MAC | destination MAC | source IP | > destination IP | > |------------------|-----------------|-----------------|------ > -----------| > | (local) | (local) | 127.0.0.1 | > 10.0.0.1 | > |------------------|-----------------|-----------------|------ > -----------| > > |------------------------------------|------------------------ > -----------| > | Ethernet Header | IP Header > | > |------------------------------------|------------------------ > -----------| > | source MAC | destination MAC | source IP | > destination IP | > |------------------|-----------------|-----------------|------ > -----------| > | North | bridge | 10.0.0.1 | > 10.0.0.2 | > |------------------|-----------------|-----------------|------ > -----------| > > Note that you can't see these internal routing changes > happening via NetMon or any other packet sniffer because it's > occuring in what's known as "memory mapped networking". > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Thursday, December 29, 2005 10:01 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: Think outside the GUI challenge #1 > > http://www.ISAserver.org > > OK > > 1. Because it will send it to the default gateway if we don't > do this, and that won't work. > 2. Still dunno -- undocumented RRAS horkage? > 3. route -p add 10.0.0.1 mask 255.255.255.255 10.0.0.1 > 4. Move off > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Thursday, December 29, 2005 11:48 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Re: Think outside the GUI challenge #1 > > > > http://www.ISAserver.org > > > > Very close! > > 1. sorry; incorrect > > 2. acceptable, but not very informative :0> > > 3. that'll break it again (if the utilities even allow it); > > what else must be changed? > > 4. can be "sweetened" > > > > > > -------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > -------------------------------------------- > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Thursday, December 29, 2005 9:36 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Re: Think outside the GUI challenge #1 > > > > http://www.ISAserver.org > > > > 1. Because 10.0.0.0/8 is already taken > > 2. Dunno > > 3. Use 255.255.255.255 > > 4. Can say here, there are ladies reading. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Thursday, December 29, 2005 11:13 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Re: Think outside the GUI challenge #1 > > > > > > http://www.ISAserver.org > > > > > > I smell an xNIX geek among us. > > > :-p > > > > > > Correct. The actual command lines would be: > > > - netsh int ip add addr north 10.0.0.1 255.255.255.0 > > > > > > (without RRAS) > > > - route -p add 10.0.0.0 mask 255.255.255.0 10.0.0.1 > > > > > > (with RRAS) > > > - netsh routing ip add persistentroute dest=10.0.0.0 > > > mask=255.255.255.0 name="North" nhop=10.0.0.1 proto=NONDOD > > > preference=0 metric=1 view=both > > > - netsh routing ip set persistentroute dest=10.0.0.0 > > > mask=255.255.255.0 name="North" nhop=10.0.0.1 proto=NONDOD > > > preference=0 metric=1 view=both > > > > > > ..now, for the extra points questions: > > > Ep1 - why doesn't it work without adding the route commands > > > *as specified*? > > > Ep2 - why are the routing table command different with & > > without RRAS? > > > Ep3 - how would you modify the commands to restrict the > > > acceptable IP range? > > > Ep4 - what does my daughter's phone number spell? > > > > > > -------------------------------------------- > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://isaserver.org/Jim_Harrison/ > > > http://isatools.org > > > Read the help / books / articles! > > > -------------------------------------------- > > > > > > -----Original Message----- > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > > Sent: Thursday, December 29, 2005 7:34 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Re: Think outside the GUI challenge #1 > > > > > > http://www.ISAserver.org > > > > > > #1?Fbind static ip 10.0.0.X/24 at CLI > > > also add a static route 10.0.0.0/24 gateway 10.0.0.X/24 at CLI > > > > > > > Remember; this is the "out of the GUI" challenge. > > > > How would you accomplish item 1 from the command line? > > > > > > > > Also, it still won't work (incomplete). > > > > What other non-ISA, non-GUI steps must be taken? > > > > > > > > #2 answered correctly. > > > > > > > > -------------------------------------------- > > > > Jim Harrison > > > > MCP(NT4, W2K), A+, Network+, PCG > > > > http://isaserver.org/Jim_Harrison/ > > > > http://isatools.org > > > > Read the help / books / articles! > > > > -------------------------------------------- > > > > > > > > -----Original Message----- > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > > > Sent: Wednesday, December 28, 2005 11:07 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] Re: Think outside the GUI challenge #1 > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > 1) Bind a additional static IP 10.0.0.X/24 to ISA > > External Interface > > > > 2) In case of dynamic IP, static IP can't assign as per 1) > > > > > > > > > > > > > Merry Xmas & Happy New Year! > > > > > > > > > > In the spirit of giving, here's a "think outside the GUI" > > > challenge > > > > for > > > > > you. > > > > > > > > > > Scenario: > > > > > - ISA is connected directly to the Internet via a > > "manageable" DSL > > > > > bridge > > > > > - ISA uses 123.123.123.123/24 static external IP; DG = > > > 123.123.123.1 > > > > > - Internal LAN uses 10.9.8.x/24 > > > > > - DSL bridge has unchangeable 10.0.0.2/24 internal IP > > > > > - DSL bridge offers web-based management on that internal IP > > > > > > > > > > Internet > > > > > | > > > > > DSL Bridge > > > > > |- 10.0.0.2/24 > > > > > |- 123.123.123.123/24 > > > > > ISA > > > > > |- 10.9.8.x/24 > > > > > LAN > > > > > > > > > > Note: > > > > > - The DSL bridge internal IP is irrelevant to normal > > > Internet access. > > > > > Because it's operating in "bridge" (as opposed to NAT) > > mode, it's > > > > > effectively transparent to the ISA for Internet traffic. > > > > > > > > > > Challenges: > > > > > 1. Allow either ISA-local or ISA-internal to access the > > > DSL bridge web > > > > > interface > > > > > 2. Explain why the correct solution is impossible to > > > implement if the > > > > > ISP provides a dynamic IP. > > > > > > > > > > Hint: > > > > > - The core of the solution has nothing whatsoever to > do with ISA > > > > itself. > > > > > > > > > > -------------------------------------------- > > > > > Jim Harrison > > > > > MCP(NT4, W2K), A+, Network+, PCG > > > > > http://isaserver.org/Jim_Harrison/ > > > > > http://isatools.org > > > > > Read the help / books / articles! > > > > > -------------------------------------------- > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > ------------------------------------------------------ > > > > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ > > > > Visit TechGenix.com for more information about our other sites: > > > > http://www.techgenix.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org > > > Discussion List as: > > > > jim@xxxxxxxxxxxx > > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: jim@xxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: jim@xxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > All mail to and from this domain is GFI-scanned. > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.