Re: Think outside the GUI challenge #1
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 29 Dec 2005 11:25:42 -0800
Lemme see if I can find it.
I had an ISA dev show the really-hard-to-locate reference one day when I was
building Winsocktool, but I've since lost it.
It sounds like a neat feature for a packet sniffer though, doesn't it?
--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, December 29, 2005 11:13 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Think outside the GUI challenge #1
http://www.ISAserver.org
VERY COOL.
Any refs? I checked
http://search.microsoft.com/results.aspx?q=%22memory+mapped+networking%22&l=1&mkt=en-US&FORM=QBME1
by no dice.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, December 29, 2005 12:57 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: Think outside the GUI challenge #1
>
> http://www.ISAserver.org
>
> I knew I'd get Tom in on this one (he loves a good brain twister).
>
> #1 - closer. Unless instructed otherwise, Windows always
> sends originating traffic using the default IP
> (123.123.123.123) as the source address in the IP header.
> Since the bridge doesn't understand how to respond to what it
> sees as non-local traffic, it simply drops it. The part of
> the routing command that makes it work is specifying the new
> IP (10.0.0.1) as the gateway for this route. This causes
> Windows to "route internally" and results in the bridge
> seeing the 10.0.0.1 IP as the source IP.
> #2 - almost... RRAS maintains a separate routing table that
> affects (but is not affected by) the TCP/IP routing table.
> Thus, when RRAS is installed, it is usually more correct to
> enter manual routes in the RRAS routing table. This depends
> on how you want Windows & RRAS to behave with regard to
> "special" traffic
> #3 - dingdingding!
> #4 - close enough...
>
> To illustrate the scenario...
> For simplicity's sake, we'll use ISA-local traffic for this demo.
> The original packet headers are built as (simplified):
> |------------------------------------|------------------------
> -----------|
> | Ethernet Header | IP Header
> |
> |------------------------------------|------------------------
> -----------|
> | source MAC | destination MAC | source IP |
> destination IP |
> |------------------|-----------------|-----------------|------
> -----------|
> | (internal) | (internal) | 127.0.0.1 |
> 10.0.0.2 |
> |------------------|-----------------|-----------------|------
> -----------|
>
> Because Windows has no clear instructions on how to handle
> this destination IP, internal logic sends it as:
> |------------------------------------|------------------------
> -----------|
> | Ethernet Header | IP Header
> |
> |------------------------------------|------------------------
> -----------|
> | source MAC | destination MAC | source IP |
> destination IP |
> |------------------|-----------------|-----------------|------
> -----------|
> | North | default gateway | 123.123.123.123 |
> 10.0.0.2 |
> |------------------|-----------------|-----------------|------
> -----------|
>
> Adding the new IP address only instructs Windows that this is
> now a local subnet, creating the following headers:
> |------------------------------------|------------------------
> -----------|
> | Ethernet Header | IP Header
> |
> |------------------------------------|------------------------
> -----------|
> | source MAC | destination MAC | source IP |
> destination IP |
> |------------------|-----------------|-----------------|------
> -----------|
> | North | bridge | 123.123.123.123 |
> 10.0.0.2 |
> |------------------|-----------------|-----------------|------
> -----------|
>
> When we add the new route definition, Windows now understands
> that some internal routing is required and forwards the
> packet this way:
> |------------------------------------|------------------------
> -----------|
> | Ethernet Header | IP Header
> |
> |------------------------------------|------------------------
> -----------|
> | source MAC | destination MAC | source IP |
> destination IP |
> |------------------|-----------------|-----------------|------
> -----------|
> | (local) | (local) | 127.0.0.1 |
> 10.0.0.1 |
> |------------------|-----------------|-----------------|------
> -----------|
>
> |------------------------------------|------------------------
> -----------|
> | Ethernet Header | IP Header
> |
> |------------------------------------|------------------------
> -----------|
> | source MAC | destination MAC | source IP |
> destination IP |
> |------------------|-----------------|-----------------|------
> -----------|
> | North | bridge | 10.0.0.1 |
> 10.0.0.2 |
> |------------------|-----------------|-----------------|------
> -----------|
>
> Note that you can't see these internal routing changes
> happening via NetMon or any other packet sniffer because it's
> occuring in what's known as "memory mapped networking".
>
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, December 29, 2005 10:01 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: Think outside the GUI challenge #1
>
> http://www.ISAserver.org
>
> OK
>
> 1. Because it will send it to the default gateway if we don't
> do this, and that won't work.
> 2. Still dunno -- undocumented RRAS horkage?
> 3. route -p add 10.0.0.1 mask 255.255.255.255 10.0.0.1
> 4. Move off
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Thursday, December 29, 2005 11:48 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: Think outside the GUI challenge #1
> >
> > http://www.ISAserver.org
> >
> > Very close!
> > 1. sorry; incorrect
> > 2. acceptable, but not very informative :0>
> > 3. that'll break it again (if the utilities even allow it);
> > what else must be changed?
> > 4. can be "sweetened"
> >
> >
> > --------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > --------------------------------------------
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Thursday, December 29, 2005 9:36 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: Think outside the GUI challenge #1
> >
> > http://www.ISAserver.org
> >
> > 1. Because 10.0.0.0/8 is already taken
> > 2. Dunno
> > 3. Use 255.255.255.255
> > 4. Can say here, there are ladies reading.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: Thursday, December 29, 2005 11:13 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Re: Think outside the GUI challenge #1
> > >
> > > http://www.ISAserver.org
> > >
> > > I smell an xNIX geek among us.
> > > :-p
> > >
> > > Correct. The actual command lines would be:
> > > - netsh int ip add addr north 10.0.0.1 255.255.255.0
> > >
> > > (without RRAS)
> > > - route -p add 10.0.0.0 mask 255.255.255.0 10.0.0.1
> > >
> > > (with RRAS)
> > > - netsh routing ip add persistentroute dest=10.0.0.0
> > > mask=255.255.255.0 name="North" nhop=10.0.0.1 proto=NONDOD
> > > preference=0 metric=1 view=both
> > > - netsh routing ip set persistentroute dest=10.0.0.0
> > > mask=255.255.255.0 name="North" nhop=10.0.0.1 proto=NONDOD
> > > preference=0 metric=1 view=both
> > >
> > > ..now, for the extra points questions:
> > > Ep1 - why doesn't it work without adding the route commands
> > > *as specified*?
> > > Ep2 - why are the routing table command different with &
> > without RRAS?
> > > Ep3 - how would you modify the commands to restrict the
> > > acceptable IP range?
> > > Ep4 - what does my daughter's phone number spell?
> > >
> > > --------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > --------------------------------------------
> > >
> > > -----Original Message-----
> > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > Sent: Thursday, December 29, 2005 7:34 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Re: Think outside the GUI challenge #1
> > >
> > > http://www.ISAserver.org
> > >
> > > #1?Fbind static ip 10.0.0.X/24 at CLI
> > > also add a static route 10.0.0.0/24 gateway 10.0.0.X/24 at CLI
> > >
> > > > Remember; this is the "out of the GUI" challenge.
> > > > How would you accomplish item 1 from the command line?
> > > >
> > > > Also, it still won't work (incomplete).
> > > > What other non-ISA, non-GUI steps must be taken?
> > > >
> > > > #2 answered correctly.
> > > >
> > > > --------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > --------------------------------------------
> > > >
> > > > -----Original Message-----
> > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > Sent: Wednesday, December 28, 2005 11:07 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] Re: Think outside the GUI challenge #1
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > 1) Bind a additional static IP 10.0.0.X/24 to ISA
> > External Interface
> > > > 2) In case of dynamic IP, static IP can't assign as per 1)
> > > >
> > > >
> > > > > Merry Xmas & Happy New Year!
> > > > >
> > > > > In the spirit of giving, here's a "think outside the GUI"
> > > challenge
> > > > for
> > > > > you.
> > > > >
> > > > > Scenario:
> > > > > - ISA is connected directly to the Internet via a
> > "manageable" DSL
> > > > > bridge
> > > > > - ISA uses 123.123.123.123/24 static external IP; DG =
> > > 123.123.123.1
> > > > > - Internal LAN uses 10.9.8.x/24
> > > > > - DSL bridge has unchangeable 10.0.0.2/24 internal IP
> > > > > - DSL bridge offers web-based management on that internal IP
> > > > >
> > > > > Internet
> > > > > |
> > > > > DSL Bridge
> > > > > |- 10.0.0.2/24
> > > > > |- 123.123.123.123/24
> > > > > ISA
> > > > > |- 10.9.8.x/24
> > > > > LAN
> > > > >
> > > > > Note:
> > > > > - The DSL bridge internal IP is irrelevant to normal
> > > Internet access.
> > > > > Because it's operating in "bridge" (as opposed to NAT)
> > mode, it's
> > > > > effectively transparent to the ISA for Internet traffic.
> > > > >
> > > > > Challenges:
> > > > > 1. Allow either ISA-local or ISA-internal to access the
> > > DSL bridge web
> > > > > interface
> > > > > 2. Explain why the correct solution is impossible to
> > > implement if the
> > > > > ISP provides a dynamic IP.
> > > > >
> > > > > Hint:
> > > > > - The core of the solution has nothing whatsoever to
> do with ISA
> > > > itself.
> > > > >
> > > > > --------------------------------------------
> > > > > Jim Harrison
> > > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > > http://isaserver.org/Jim_Harrison/
> > > > > http://isatools.org
> > > > > Read the help / books / articles!
> > > > > --------------------------------------------
> > > > >
> > > > >
> > > > > All mail to and from this domain is GFI-scanned.
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > jim@xxxxxxxxxxxx
> > > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: jim@xxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: jim@xxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
