Re: weird question about tftp and access-list

From: folivore (folivore@hotmail.com)
Date: Mon Oct 14 2002 - 11:38:58 GMT-3

• Next message: Sam.MicroGate@usa.telekom.de: "TCPIP port numbers"
• Previous message: Senthil Kumar: "when not to use QOS or a specific type of QOS"
• Maybe in reply to: James: "weird question about tftp and access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I guess that's why cisco has a "match tftp/ftp" commands under their Modular
QOS CLI.
for ftp in active mode and tftp,you may find this command useful.

----- Original Message -----
From: "Brian Dennis" <brian@5g.net>
To: "'James'" <kang_z@hotmail.com>; <ccielab@groupstudy.com>
Sent: Sunday, October 13, 2002 3:54 PM
Subject: RE: weird question about tftp and access-list

> When a TFTP client sends the first packet (read or write request) to the
> TFTP server the destination UDP port is 69. The TFTP server will then
> select a UDP high port to reply back on. The TFTP server does not reply
> back using the UDP source port of 69. You have to open up UDP ports
> greater than 1024 for the TFTP server to reply back on.
>
> As a side note you would see this if you added in a "deny ip any any
> log" to your access-list.
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> James
> Sent: Sunday, October 13, 2002 11:10 AM
> To: ccielab@groupstudy.com
> Subject: weird question about tftp and access-list
>
> hi, all
> i am trying to permit tftp packet out of ether 0.
> tftp srv---------(e0)r4(s0)--------(s0)r3(e0)-----cleint
> i can copy files to tftp server from client without any access-list. but
> after
> applying the access-list as following, i got some error message: !.....
> %Error writing tftp://192.168.0.188/r22 (Write error)...... that means,
> the
> first packet is permit, but the subsequent is block. i am wondering what
> is
> the real reason.
> thanks in advance
> access-list is as following:
> permit ospf any any (234 matches)
> permit tcp 172.16.21.0 0.0.0.255 any eq telnet
> permit icmp any any echo log (20 matches)
> permit icmp any any echo-reply log (5 matches)
> permit udp any any eq tftp log (3 matches)
> the log message is : 04:31:12: %SEC-6-IPACCESSLOGP: list allow_ftp_ping
> permitted udp 172.16.37.2(549
> 49) -> 192.168.0.188(69), 1 packet
> james

• Next message: Sam.MicroGate@usa.telekom.de: "TCPIP port numbers"
• Previous message: Senthil Kumar: "when not to use QOS or a specific type of QOS"
• Maybe in reply to: James: "weird question about tftp and access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:46 GMT-3