Re: Think outside the GUI challenge #1

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 29 Dec 2005 11:51:17 -0800

I also noted a typo in Tom's answer to #3.
- route -p add 10.0.0.1 mask 255.255.255.255 10.0.0.1
..should have been:
- route -p add 10.0.0.2 mask 255.255.255.255 10.0.0.1

..otherwise, the ISA would never communicate with the bridge.

Who's offering the next rain twister; Tom? Tim?
Stefaan is already posting some good ones about IPSec...
--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Thursday, December 29, 2005 11:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Think outside the GUI challenge #1

http://www.ISAserver.org

Wow...
You're easily amused, aren't you?
:-p

I'm glad it helped.
Actually, this challenge was born of a customer's conundrum for their DSL 
bridge/modem management.  It was "unintuitive" enough that I thought it might 
make a good posting.

I guess I guessed right...

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, December 29, 2005 11:13 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Think outside the GUI challenge #1

http://www.ISAserver.org

This has nothing to do with anything, but I am madly in love with your ASCII
graphics skills. And thanks for the explanation, it seems similar to the
"bridge and ARP tables" problem I ran into when implementing a wireless
catch-all portal :)

-----Message d'origine-----
De : Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Envoyé : 29 décembre 2005 14:06
À : [ISAserver.org Discussion List]
Objet : [isalist] Re: Think outside the GUI challenge #1

http://www.ISAserver.org

Just realized a C&P error in the final illustration.
This is the corrected version:

When we add the new route definition, Windows now understands that some
internal routing is required and forwards the packet this way:
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|    (internal)    |   (internal)    |    127.0.0.1    |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|      North       |      bridge     |    10.0.0.1     |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|


--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Thursday, December 29, 2005 10:57 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Think outside the GUI challenge #1

http://www.ISAserver.org

I knew I'd get Tom in on this one (he loves a good brain twister).

#1 - closer.  Unless instructed otherwise, Windows always sends originating
traffic using the default IP (123.123.123.123) as the source address in the
IP header.  Since the bridge doesn't understand how to respond to what it
sees as non-local traffic, it simply drops it.  The part of the routing
command that makes it work is specifying the new IP (10.0.0.1) as the
gateway for this route.  This causes Windows to "route internally" and
results in the bridge seeing the 10.0.0.1 IP as the source IP.
#2 - almost...  RRAS maintains a separate routing table that affects (but is
not affected by) the TCP/IP routing table.  Thus, when RRAS is installed, it
is usually more correct to enter manual routes in the RRAS routing table.
This depends on how you want Windows & RRAS to behave with regard to
"special" traffic
#3 - dingdingding!
#4 - close enough...

To illustrate the scenario...
For simplicity's sake, we'll use ISA-local traffic for this demo.
The original packet headers are built as (simplified):
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|    (internal)    |   (internal)    |    127.0.0.1    |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

Because Windows has no clear instructions on how to handle this destination
IP, internal logic sends it as:
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|      North       | default gateway | 123.123.123.123 |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

Adding the new IP address only instructs Windows that this is now a local
subnet, creating the following headers:
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|      North       |      bridge     | 123.123.123.123 |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

When we add the new route definition, Windows now understands that some
internal routing is required and forwards the packet this way:
|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|     (local)      |     (local)     |    127.0.0.1    |    10.0.0.1     |
|------------------|-----------------|-----------------|-----------------|

|------------------------------------|-----------------------------------|
|           Ethernet Header          |              IP Header            |
|------------------------------------|-----------------------------------|
|    source MAC    | destination MAC |    source IP    | destination  IP |
|------------------|-----------------|-----------------|-----------------|
|      North       |      bridge     |    10.0.0.1     |    10.0.0.2     |
|------------------|-----------------|-----------------|-----------------|

Note that you can't see these internal routing changes happening via NetMon
or any other packet sniffer because it's occuring in what's known as "memory
mapped networking".

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, December 29, 2005 10:01 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Think outside the GUI challenge #1

http://www.ISAserver.org

OK

1. Because it will send it to the default gateway if we don't do this, and
that won't work.
2. Still dunno -- undocumented RRAS horkage?
3. route -p add 10.0.0.1 mask 255.255.255.255 10.0.0.1
4. Move off

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Thursday, December 29, 2005 11:48 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: Think outside the GUI challenge #1
> 
> http://www.ISAserver.org
> 
> Very close!
> 1. sorry; incorrect
> 2. acceptable, but not very informative :0>
> 3. that'll break it again (if the utilities even allow it); 
> what else must be changed?
> 4. can be "sweetened"
> 
> 
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Thursday, December 29, 2005 9:36 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: Think outside the GUI challenge #1
> 
> http://www.ISAserver.org
> 
> 1. Because 10.0.0.0/8 is already taken
> 2. Dunno
> 3. Use 255.255.255.255
> 4. Can say here, there are ladies reading.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
>  
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > Sent: Thursday, December 29, 2005 11:13 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: Think outside the GUI challenge #1
> > 
> > http://www.ISAserver.org
> > 
> > I smell an xNIX geek among us.
> > :-p
> > 
> > Correct.  The actual command lines would be:
> > - netsh int ip add addr north 10.0.0.1 255.255.255.0
> > 
> > (without RRAS)
> > - route -p add 10.0.0.0 mask 255.255.255.0 10.0.0.1
> > 
> > (with RRAS)
> > - netsh routing ip add persistentroute dest=10.0.0.0 
> > mask=255.255.255.0 name="North" nhop=10.0.0.1 proto=NONDOD    
> >  preference=0 metric=1 view=both
> > - netsh routing ip set persistentroute dest=10.0.0.0 
> > mask=255.255.255.0 name="North" nhop=10.0.0.1 proto=NONDOD    
> >  preference=0 metric=1 view=both
> > 
> > ..now, for the extra points questions:
> > Ep1 - why doesn't it work without adding the route commands 
> > *as specified*?
> > Ep2 - why are the routing table command different with & 
> without RRAS?
> > Ep3 - how would you modify the commands to restrict the 
> > acceptable IP range?
> > Ep4 - what does my daughter's phone number spell?
> > 
> > --------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > --------------------------------------------
> > 
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] 
> > Sent: Thursday, December 29, 2005 7:34 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: Think outside the GUI challenge #1
> > 
> > http://www.ISAserver.org
> > 
> > #1?Fbind static ip 10.0.0.X/24 at CLI
> >     also add a static route 10.0.0.0/24 gateway 10.0.0.X/24 at CLI
> > 
> > > Remember; this is the "out of the GUI" challenge.
> > > How would you accomplish item 1 from the command line?
> > > 
> > > Also, it still won't work (incomplete).
> > > What other non-ISA, non-GUI steps must be taken?
> > > 
> > > #2 answered correctly.
> > > 
> > > --------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > --------------------------------------------
> > > 
> > > -----Original Message-----
> > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] 
> > > Sent: Wednesday, December 28, 2005 11:07 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Re: Think outside the GUI challenge #1
> > > 
> > > http://www.ISAserver.org
> > > 
> > > 
> > > 1) Bind a additional static IP 10.0.0.X/24 to ISA 
> External Interface
> > > 2) In case of dynamic IP, static IP can't assign as per 1)
> > > 
> > > 
> > > > Merry Xmas & Happy New Year!
> > > > 
> > > > In the spirit of giving, here's a "think outside the GUI" 
> > challenge
> > > for
> > > > you.
> > > >  
> > > > Scenario:
> > > > - ISA is connected directly to the Internet via a 
> "manageable" DSL
> > > > bridge
> > > > - ISA uses 123.123.123.123/24 static external IP; DG = 
> > 123.123.123.1
> > > > - Internal LAN uses 10.9.8.x/24
> > > > - DSL bridge has unchangeable 10.0.0.2/24 internal IP
> > > > - DSL bridge offers web-based management on that internal IP
> > > > 
> > > >         Internet
> > > >            |
> > > >       DSL Bridge
> > > >          |- 10.0.0.2/24
> > > >            |- 123.123.123.123/24
> > > >         ISA
> > > >          |- 10.9.8.x/24
> > > >           LAN
> > > > 
> > > > Note:
> > > > - The DSL bridge internal IP is irrelevant to normal 
> > Internet access.
> > > > Because it's operating in "bridge" (as opposed to NAT) 
> mode, it's
> > > > effectively transparent to the ISA for Internet traffic.
> > > > 
> > > > Challenges:
> > > > 1. Allow either ISA-local or ISA-internal to access the 
> > DSL bridge web
> > > > interface
> > > > 2. Explain why the correct solution is impossible to 
> > implement if the
> > > > ISP provides a dynamic IP.
> > > > 
> > > > Hint:
> > > > - The core of the solution has nothing whatsoever to do with ISA
> > > itself.
> > > > 
> > > > --------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > --------------------------------------------
> > > > 
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org 
> > Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: jim@xxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gauthiera@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1
• » Re: Think outside the GUI challenge #1

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---