Learning ISATAP – Part 3 – ISATAP Configuration

Now that we have a test lab from parts 1 and 2, we can get to the business of actual ISATAP configuration.


  1. Configure ISATAP Server
  2. Configure Routes
  3. Configure DNS

Configure ISATAP Server

Here’s what we’ll need to do:

  1. Configure the name and interfaces
  2. Enable the ISATAP interface.
  3. Configure the Routes.

Configure ISATAP1

This is no biggie. Run this code on isatap1.

Rename-NetAdapter -Name "Ethernet" -NewName "net1"
New-NetIPAddress -IPAddress -PrefixLength 24 -InterfaceAlias net1
New-NetIPAddress -IPAddress fd1a:6cf8:7eeb:401::25 -PrefixLength 64 -InterfaceAlias net1
New-Netroute -InterfaceAlias "net1" -DestinationPrefix -NextHop
netsh interface ipv4 add dnsservers net1 index=1
Add-Computer contoso.com -newname isatap1 -restart

Enable the ISATAP Interface

A lot of people configure a DNS record to enable ISATAP, which is fine. However, you want the ISATAP router to continue to have ISATAP enabled even if DNS is down. To do this, we’ll add a host entry on isatap1 itself.

echo isatap.contoso.com >> C:\windows\system32\drivers\etc\hosts
echo isatap >> C:\windows\system32\drivers\etc\hosts

Now, if you disable and enable the network adapter, and then run ipconfig, you’ll see that the ISATAP adapter has switched from ‘Media Disconnected’ to online.

You need to reboot the ISATAP router at this point to make sure that the ISATAP interface is online and working properly, and that the routing tables have been updated.

Configure the Routes

First, we need to choose a prefix for our ISATAP addresses. For our lab, I chose fd1a:6cf8:7eeb:500::/64.

Next comes the tricksy part. Code:

#first, find the interface name of your LAN adapter and your ISATAP adapter

#after the following commands, clients will have an ISATAP address enabled, but they'll have no default gateway.
#in this configuration, ISATAP is technically enabled and hosts and communicate, but they cannot reach other native ipv6 links.
netsh interface ipv6 set interface [#-of-isatap-adapter] advertise=enabled
netsh interface ipv6 add route fd1a:6cf8:7eeb:500::/64 [#-of-isatap-adapter] publish=yes

#after the following commands, clients will have a default gateway for their isatap interface and be able to use it.
netsh interface ipv6 set interface [#-0f-LAN-adapter] forwarding=enabled
netsh interface ipv6 set interface [#-0f-isatap-adapter] forwarding=enabled
netsh interface ipv6 add route ::/0 [#-of-LAN-adapter] nexthop=fd1a:6cf8:7eeb:400:: publish=yes

There’s only one problem left. Since rras1 doesn’t have a route to fd1a:6cf8:7eeb:500::/64, clients on net1 and net2 won’t be able to ready clients on net3. To fix this, login to rras1 and run the following code:

#get the network interface numbers

netsh interface ipv6 add route fd1a:6cf8:7eeb:500::/64 [#-of-net1] nexthop=fd1a:6cf8:7eeb:401::25

Now, you’re golden. The ISATAP router should be up and running.

Configure DNS

To enable ISATAP site-wide, we need to do some work on adds1:

set-dnsserverglobalqueryblocklist -list wpad
add-dnsserverresourcerecordcname -zonename contoso.com -name isatap -hostnamealias isatap1.contoso.com

Alright. To test things out, reboot your clients to ensure that the ISATAP interface comes online. Next, try to ping the ISATAP interface of client3 from client1 and client2, and vice versa. Everything should work at this point.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s