ISATAP Demonstration

ISATAP Demonstration


In this video from ITFreeTraining, we’ll take a dive into configuring ISATAP for Windows. ISATAP is a transition technology which enables internal IPv4 networks to connect to an internal IPv6 network.

Download the PDF handout:

Network
0:20 In this video, there is an IPv4 network with a computer running Windows 10 and an IPv6 network with a computer running Windows 8.1. ISATAP will be used to allow both these computers to communicate with each other even though they are on networks running different versions of the internet protocol. The process of configuring each computer is the same, however using different operating systems makes it easier to know which computer is being configured.
0:50 To connect one network to the other network, a router will be installed between both networks. This router will be running Windows Server 2012 R2. The router effectively provides a bridge between the two networks. In order to achieve this, the server will have two network cards, one connected to each network with an IP Address on each network. The administrator could also use Linux or a hardware router if they so chose. ISATAP uses DNS to find resources on the network. In this case, the Windows 10 computer requires access to a DNS server in order to locate the ISATAP router.

Demonstration looking at Windows 10 network configuration
1:38 The Windows 10 computer has the IPv4 and IPv6 protocols enabled. The IPv4 protocol is configured with a static IP Address. The IPv6 protocol is configured to obtain an IPv6 address automatically.
1:43 To view the network configuration of the computer, right click on the start menu and select “Network Connections”.
1:50 Network Connections will show all the network connections that are currently configured on this computer. On this computer there is only one network card. To see the configuration of the network card, right click the network card and select the option “Properties”.
2:04 The network properties box shows all the clients, services and protocols that are currently configured for that network card. To view any options configured for them, select the option and select “Properties”.
2:05 To view the properties of the IPv4 protocol, select “Internet Protocol Version 4 (TCP/IPv4)” and press Properties. In this case a static IP Address and DNS server have been configured. Once you have finished looking at the options you can press Close, to close the window. ISATAP does not require a static IP Address; a dynamic IP Address can also be used. In this example a static IP Address was used to show what configuration was used and also that no additional dynamic configuration is performed. The only other configuration that ISATAP requires is a DNS look up, thus the need for a DNS server to be available on the network.
2:18 Notice that the IPv6 protocol “Internet Protocol Version 6 (TCP/IPv6)” is present, however it is not ticked. This means the IPv6 protocol is not currently enabled. ISATAP will later allocate an IPv6 address to this computer, however it does not require the IPv6 protocol to be enabled in order to do this. Essentially, ISATAP will create an IPv6 packet. The IPv6 packet will be placed into an IPv4 packet and sent to the router. The router will remove the IPv4 packet and route the IPv6 packet like any other packet on the network.
3:25 To better understand how the computer is configured, I will open a command prompt. To do this, right click the start menu and select “Command Prompt”.
3:30 To see the basic network configuration of the computer, run the command “IPConfig”. In the output from the command there will be a section called “Tunnel adapter isatap”. This is present on a Windows computer by default and does not require any additional configuration. If ISATAP is not running, the “Media State” will be shown as “Media disconnected”. If ISATAP is running, the Media State will change to “Connected”.

Demonstration viewing Windows 8.1 network configuration
4:28 To view the network configuration, right click on the start menu and select “Network Connections”.
4:38 To view the network configuration of a network adapter, right click it and select “Properties”. In this example, there is only one network adapter called “Ethernet”.
4:42 In this example “Internet Protocol Version 4 (TCP/IPv4)” is not enabled. “Internet Protocol Version 6 (TCP/IPv6)” is enabled. This computer is running on an IPv6 network and thus does not require the IPv4 protocol to be enabled.
4:50 To see the properties of the IPv6 protocol, select “Internet Protocol Version 6 (TCP/IPV6)” and press the Properties button.
4:56 In this example IPv6 protocol will be configured automatically. In this case, the ISATAP router will provide this configuration. It is also possible to manually configure the IPv6 protocol.
5:14 To view additional configuration, exit out of any open windows, right click the start menu and select “Command Prompt”.
5:20 From the command prompt, run “IPConfig”. In this example, only the one IPv6 address is shown. On an IPv6 network, ISATAP does not require IPv4. On the IPv4 network, the IPv4 protocol is required, however the IPv6 protocol is not. Essentially in this case, the computer runs like any IPv6 client. In order to operate, it only requires an IPv6 address. This IPv6 address can be assigned statically or dynamically. No additional configuration is required on the Windows 8.1 computer in order for it to run ISATAP.

Viewing network configuration on Windows Server 2012 R2 that will run ISATAP
6:00 The Windows Server 2012 R2 computer has had a basic install performed. It has not had any additional roles installed or been added to the domain. The only configuration that has been performed so far is, the network adapters have been configured with an IP Address and a DNS server.
6:15 To view the network configuration, right click the start menu and select “Network Connections”.
6:23 The server has two network adapters configured. One network adapter is connected to the IPv4 network and the second network adapter is connected to the IPv6 network. It is possible to connect both networks to the same network adapter.
6:40 To view the configuration of a network adapter, right click the network adapter and select “Properties”.
6:45 In the case of the network adapter connected to the IPv4 network, the protocol “Internet Protocol Version 6 (TCP/IPv6)” is not enabled and “Internet Protocol Version 4 (TCP/IPv4)” is enabled.
7:00 To open the properties of “Internet Protocol Version 4 (TCP/IPv4)” select it and press the Properties button.
7:05 In this example, the network adapter is configured with an IP Address of 192.168.5.2, subnet mask 255.255.255.0, gateway 192.168.5.1 and DNS server 192.168.2.2. Once complete, exit out of the IPv4 properties and network adapter properties.
7:10 To open the network properties of the IPv6 network card, right click the network card and select “Properties”.
7:14 The network adapter is connected to the IPv6 network with the “Internet Protocol Version 6 (TCP/IPv6)” enabled and “Internet Protocol Version 4 (TCP/IPv4)” disabled.
7:25 To view the properties of “Internet Protocol Version 6 (TCP/IPv6)”, select it and press Properties.
7:27 The IPv6 network has been assigned the IP Address 2001:db8:2::1/64. There is no DNS server configured. Since a DNS server was configured on the IPv4 network, the server can use this DNS server to resolve DNS names.
7:45 Once finished, close all windows to return to a blank desktop.

Configuring routing on Windows Server 2012 R2 for ISATAP
7:48 To enable routing on the server, a registry key needs to be configured. To do this, right click on the start menu, select ”Run” and then enter “RegEdit”.
8:00 The registry key that needs to be changed can be found under
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramters\IPEnableRouter”.
IPEnableRouter needs to be configured to one. By default for security reasons, Windows Server will not route packets between different network cards. ISATAP essentially uses a routing function to route traffic between networks and thus the Windows Server needs routing enabled.
8:47 Once the registry change has been made, close all open Windows, right click on the start menu and select “Shut down or sign out” followed by “Restart”. This will restart the Windows Server. This is required to enable routing. Also, rebooting the server changes a number of settings on the server, for example the index number of network cards. It is much simpler to configure the Windows Server for routing, if once routing is enabled, the Windows Server is rebooted before configuring routing.
9:15 To configure routing on the server, a number of commands need to run from the command line. To open a command line, right click on the start menu and select “Command Prompt”.
9:22 To configure routing on the Windows Server, the command NetSH will be used. NetSH is a command line script tool that can be used to configure network related settings.
9:50 From the command prompt, run the command “NetSH Interface IPv6 Show Interfaces”. This will show all the network adapters on the Windows Server. Each network adapter will have an index number. This index number will be used in later commands. It is also possible to use the name of the network adapter, however it is much easier when running commands to use the index number rather than the name.
10:04 The command will show the IPv6 network adapter that will be configured is the physical network adapter that is connected to the IPv6 network. In this example, the network adapter has an index number of 15.
10:33 Routing has been enabled on the router, however the network cards have to be configured first to allow routing between them. This is called forwarding. Once a network card has forwarding enabled, it will route traffic to other network cards on the system.
11:45 To enable forwarding and advisement of the IPv6 network adapter, run “NetSH Interface IPv6 Set Interface 15 Forwarding=Enabled Advertise=Enabled”. Forwarding will allow the network adapter to forward traffic to other network adapters. In this case, the network adapter will be the ISTAP adapter. The advertise option means that the network interface IPv6 address will be advertised on the network. This allows nodes on the network to be able to configure a valid IPv6 address. This will be shown in more detail later in the video.
12:00 Routing between local adapters will happen automatically. Windows will automatically connect internal network adapters together. In IPv6, a network prefix is advertised on the network. Nodes on the network will use this network prefix to configure an IP Address. In this example, when forwarding was enabled on the route, advertising was also enabled. If advertising was not enabled, then the next command is required to be run. Otherwise another device on the network would need to perform this, for example a DHCP server.
12:20 In this example, the route command will be run to advertise the network prefix. This is not required as the IPv6 network adapter is already advertising the network prefix, however if you do require this to be done, the command to run is “NetSH Interface IPv6 Add Route 2001::db8:2::/64 15 Publish=Yes”. In this case, when the command is run a message will appear saying “The object already exists” because advertising was enabled when the network adapter was configured to allow forwarding.

View network configuration on Windows 8.1 plus other Windows Server configuration
13:25 To see the network configuration run the command, IPConfig from a command prompt. In this case, since the Windows Server IPv6 network adapter has been configured to advertise a network prefix, the Windows 8.1 computer has heard an advertise message from the Windows Server with the IPv6 network prefix. It has then used this network prefix to configure a valid IPv6 address. In this case the IP Address configured is 2001:db8:2:0:bd55:c16f:55a9:eaaf.
13:40 The network prefix is the left part of the IP Address. In this example it is 2001:db8:2:0. This is the same network prefix as used on the IPv6 network adapter on the Windows Server.
13:55 The IP Address in this example has been configured automatically, however the administrator could also configure an IP Address statically if they wished.

Configuring the ISATAP router on the Windows Server
14:22 The Windows Server has already had IPv6 configured and routing enabled. The next step is to configure IPv4.
14:28 From a command prompt, run the command “NetSH Interface IPv6 ISATAP Set Router 192.168.5.2”. The ISATAP adapter is essentially an IPv6 adapter. It will nevertheless use the IPv4 protocol to communicate over the network, however it is still considered to be an IPv6 adapter as it will be sending IPv6 packets encapsulated in IPv4 packets. Thus, the “Interface IPv6” will select an IPv6 adapter and “ISATAP” will select the ISATAP adapter. The “Set” option means that an option is being configured. The option to be configured is “Router”. Following “Router” is the IP Address. In this case the IP Address is “192.168.5.2”. This is the IPv4 address that the server will use to send ISATAP packets on the network. This will be the IP Address of the IPv4 adapter on the computer.
15:08 To view the changes, run the command “IPConfig”. Under the ISATAP adapter, the IPv6 address will be listed. The last part of the IPv6 address will be the IPv4 address. When the IPv6 address is displayed, it will be displayed as an IPv4 address to make it easier to read.
15:30 To see the index numbers of the network adapters, run “NetSH Interface IPv6 Show interfaces”. The index number will be used in later commands. It is easier to use the index number in the command then the name of the adapter. Note that “Interface IPv6” is used. This is because ISATAP is considered to be an IPv6 adapter and because it encapsulates IPv6 protocols in IPv4 packets.
16:24 To enable forwarding and advertising on the ISATAP adapter, run the command “NetSH Interface IPv6 Set Interface 13 Forwarding=Enabled Advertise=Enabled”. In this case the network adapter number was 13; you may need to change this for your network. This command is the same command that was run on the IPv6 adapter previously. The command essentially enables the adapter to forward packets between adapters and will advertise the IPv6 prefix on the network. In the case of the IPv6 network, a DHCP server could be used to advertise the IPv6 prefix. In this case, a IPv6 DHCP could not be used as there is no native IPv6 protocol used on the network. If there was a native IPv6 protocol on the network, there would be no need to deploy ISATAP.
16:52 The IPv6 adapter connected to the IPv6 network will a require a route to be added. In this example the following command was run “NetSH Interface IPv6 Add Route 200:db8:1::/64 13 Publish=Yes”. This will add a route to the network adapter.
17:29 No further changes are required to the server, however some of changes that have been made require a reboot. To reboot the server, right click the start menu, select “Shut down and sign out” followed by “Restart”.

Configuring the DNS server
18:16 A DNS record will need to be created in order for the devices on the network to find the ISATAP router. In this example, NYDC1 was used, which is a domain controller. ISATAP only requires a DNS server which can run Windows Server in a domain, stand alone or a DNS server on an alternative operating system like Linux.
18:30 To open the DNS tool, select “Server Manager” from the quick launch bar.
18:37 From Server Manager, select DNS from the right-hand side of Server Manager. This will show the local DNS server running on that server.
18:50 To make changes to the DNS server, from the middle of Server Manager, right click the DNS server and select “DNS Manager”.
19:00 To create a new record, expand down in DNS Manager until you reach the DNS zone that you want to create the DNS record for. In this example, the DNS record will be created in the zone “ITFreeTraining.local”.
19:10 To create the DNS record, right click on the zone and select “New Host (A or AAAA)”.
19:15 For the DNS record, enter the name “ISATAP”. Below this, enter in the IP Address of the ISATAP server. In this example, the IP Address of the Windows Server running ISATAP will be entered in, which will be “192.168.5.2”.
19:20 To add the DNS record press the button “Add Host”. Windows Server will display a confirmation dialog box to inform the administrator that the DNS host record was added.
19:30 The DNS record has been added, however it will not work until some other settings have been changed. To change these settings, first close any open windows.
19:35 Open a command prompt by right clicking on the start menu and selecting “Command Prompt”.
19:40 Run the command “Ping ISATAP”. Even though the DNS record has been created, the DNS ping request will not be able to resolve the ISATAP address.
19:55 By default, the DNS server will not resolve a request for a DNS record called ISATAP. This is most likely being done by Microsoft in case an administrator or a hacker was to deploy a device on the network and name it “ISATAP”. If an administrator was to do this, as we will see later on, the network devices on the network would attempt to connect to this server and access ISATAP services.
20:44 To allow the ISATAP requests to be resolved by the DNS server, a registry entry on the server needs to be changed. To open RegEdit, run “RegEdit” from the command prompt.
20:51 In RegEdit, open the key
20:51 In RegEdit, open the key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList”
21:20 By default, there are two entries and these are “wpad” and “ISATAP”. Wpad is used by web proxy auto-discovery protocol. Wpad is disabled by default as an attacker could create a DNS record called wpad using dynamic DNS and use it to capture all web traffic on the network.
21:57 Delete “ISATAP” from the list and press OK. After pressing OK, you may get a message saying that an empty string a not allowed and will be removed. This is essentially saying that if an empty line is left by itself, it will be removed.
22:15 Close DNS Manager and go back to the command prompt.
22:22 The DNS server needs to be restarted in order for the changes to take effect. To do this from the command prompt, run the command “Net Stop DNS”. Once the DNS server has stopped, run the command “Net Start DNS” to start the DNS server.
22:51 Once the command “Ping ISATAP” is run again, this time the request will be resolved to an IP Address. If it does not resolve, it is possible that the DNS cache on the DNS server will need to be cleared first.
23:08 To clear the DNS cache, run the command “IPConfig /FlushDNS”.
23:28 Once the DNS cache has been cleared, if the command “Ping ISATAP” is run, it should now resolve to an IP Address.
23:40 All ISATAP configuration is now complete. If you attempt to ping computers on each network this will be possible if the firewalls on the computers are not blocking the request. Computers on the IPv4 network will now have an IPv6 address in the ISATAP adapter which they can use to access computers on the IPv6 network.

Testing ISATAP on Windows 10
23:52 Previously when IPConfig was run, the ISATAP adapter was listed as media disconnected. Windows will check if ISATAP has been configured on the network. If ISATAP is connected, Windows will automatically connect to the ISATAP router.
24:15 To confirm Windows 10 has connected to the ISATAP router, run the command “IPConfig” from a command prompt. Under the ISATAP adapter, an IPv6 address will be listed.
24:30 Windows 10, given enough time, will automatically connect to the ISATAP server. If you want to speed up the process, you can disable and enable the network adapter or restart the computer.

ISATAP Address
24:46 1 to 64 bits: This is any network prefix. This is set to the same network prefix as the network
65 to 96 bits: This part of the IP Address is fixed. It is always 0:5efe. By looking at this part of the address, you can tell that it is an ISATAP address.
97 to 128 bits: This part of the IPv6 address is the IPv4 address. In this case, the IP Address is the Windows 10 computer. If the Windows 10 computer was attempting to contact the ISATAP router, the ISATAP router’s IPv4 address would be used. If the Windows 10 computer was contacting an IPv6 device on the IPv6 network, the IPv6 address of that device would be used. Essentially the device is using an IPv6 address, however when an IPv4 address is embeded Windows will display the IPv4 address to make it easier for the administrator.
25:20 In this example, the first 64 bits of the address are 2001:db8:1:0. When the ISATAP router was configured, this was the route that was added to the IPv4 adapter. The ISATAP router advertises this network prefix on the network. The Windows 10 computer receives this message and uses it to configure an IPv6 address. In this example, the next part of the address is 0:5efe which is the same for any ISATAP router. The last part of the IP Address will be 192.168.2.100, which is the IPv4 of the Windows 10 computer.

Testing Windows 10 ISATAP
26:10 To test the connection, run the command “Ping 2001:db8:2:0:bd55:c16f:55a9:eaaf”. The Windows 10 computer is on the IPv4 network and Windows 8.1 is on the IPv6 network. In this example, the ping command was used with the IPv6 address of the device on the other network. However, the Windows 8.1 computer is not configured to respond to ping requests and thus the ping will fail. In order to change this, firewall changes need to be made to the Windows 10 computer.

Changing the firewall to allow ping to Windows 10
26:42 To make changes to the firewall, perform a search for firewall and select “Windows Firewall with Advanced Security”.
26:50 To allow pings through, right click on “Inbound Rules” and select “New Rule”.
26:55 To create a rule, from the New Rule wizard select the option ”Custom” and press next.
27:00 On the Protocol and Ports screen, select the protocol type as “ICMPv6” and press Next. The Windows 10 computer is connected by a network adapter that is running the IPv4 protocol. The point to remember is that it uses the IPv4 network to tunnel IPv6 packets, thus when the packet arrives at the computer it is an IPv6 packet and is therefore subject to IPv6 firewall rules.
27:30 For the next three screens, the options can be left on the defaults. Press Next three times to get to the last screen of the wizard.
27:38 On the last screen of the wizard enter in a name for the rule and a description and once done, press Finish to complete the wizard.

Ping the Windows 10 computer
28:00 To ping the Windows 10 computer from the Windows 8.1 computer, run the command “Ping 2001:db8:1::5efe:192.168.2.100”. The IP Address will start with the network prefix of the network the computer is connected to. Following this is 5efe which is the same for all ISATAP routers. Lastly, the IPv4 address is added.

Changing the Windows 8.1 computer’s firewall
29:15 To open “Firewall with Advanced Security”, right click on the start menu and select search for firewall. Select “Windows Firewall with Advanced security” when it appears.
29:25 To create a new rule, right click on “Inbound Rules” and select “New Rule”.
29:32 From the rule type screen, select ”Custom” and then press Next.
29:40 On the Program screen, leave it on the default of “All programs” and press Next.
29:44 On the protocol screen, under protocol type select “ICMPv6” and press Next.
29:56 For the next three screens of the wizard, accept the defaults and press Next.
30:00 On the “Name” screen, enter the name of the rule. In this example, the name of the rule given was “IPv6 Ping”. You are also free to enter in a description. Once entered, press Next to move onto the next screen.
30:10 On the last screen of the wizard, press Finish to complete the wizard.

Ping the Windows 8.1 Computer
30:31 To check the ISTAP connection is working between the Windows 10 computer and the Windows 8.1 computer, run the command “Ping 2001:db8:bd55:c16f:55a9:eaaf”. If a response is received back, the ISATAP connection between the computers is working.

Summary
30:50 The Windows 10 computer is configured with the IPv4 protocol only. It does a DNS query for ISATAP to find the ISATAP router. The ISATAP router will provide a network suffix to the Windows 10 computer. The Windows 10 computer will create its own IPv6 address which will have its IPv4 address embedded in it. The Windows 10 computer uses an IPv4 tunnel to transfer IPv6 packets to the ISATAP router. The ISATAP router will receive IPv6 packets from the Windows 10 computer and will use the IPv4 tunnel to transfer these packets to the Windows 8.1 computer.
31:31 The Windows 8.1 computer is on an IPv6 only network. Essentially it functions just like an IPv6 native computer would function on an IPv6 only network. If the Windows 8.1 wants to send traffic to the Windows 10 computer, it would use the IPv6 address that was configured by ISATAP on the Windows 10 computer.
31:27 In order for the system to work, a DNS server is placed on the network. This DNS server allows devices on the network to locate the ISATAP router on the network. The server that is used for ISATAP needs to be configured, in which there are a number of steps required. These are:
i) Registry key needs to be set to enable routing on the server.
ii) The server needs to be restarted as changing the registry key changes a number of things on the server including the interface ID for each network card.
iii) On the IPv4 and IPv6 adapters, forwarding needs to be enabled, advertising enabled and a route added.
iv) An ISATAP address needs to be configured.
v) The server requires a restart.

References
“Installing and Configuring Windows Server 2012 R2 Exam Ref 70-410” pg 204

Credits
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Companion Document: Phillip Guld https://philguld.com
Video Production: Kevin Luttman http://www.KevinLuttman.com
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Companion Document: Phillip Guld https://philguld.com
Video Production: Kevin Luttman http://www.KevinLuttman.com
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk