From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Nov 08 2008 - 22:28:04 ARST
Hi Huan,
correct...request to server is made on UDP 69 and the client-side port is a
random high, however, it seems as though CBAC should work fine for it.
After all, it has it's own "inspect" entry e.g. ip inspect name TEST
tftp". That's supposed to be one of the benefits of using CBAC (able to
follow sessions per ports, protocols, and some applications). I did try
debug ip packet detail, and only saw that my ACL was denying it for some
reason.
anyone else have any ideas?
Thanks,
Jason
On Sat, Nov 8, 2008 at 5:17 PM, Huan Pham <pnhuan@yahoo.com> wrote:
> HI Jason,
>
> I have not try CBAC with TFTP.
>
> However pls be aware that TFTP is not only using UDP 69. UDP destination
> port 69 is only used in the first packets for clients to communicate with
> the TFTP server. The server use random ports in the range > 1024 to
> communicate back to Clients (also random port). So basically, if you use
> normal ACL to allow TFTP traffic, you need to specify UDP port 69, and all
> UDP ports above 1024.
>
> You can try "debug ip packet detail" and verify what ports are used by
> TFTP!
>
> I am not sure if CBAC is intellegent enough to be able to detect that
> random ports as belong to TFTP application. I doubt that. Maybe that's the
> reason for the problem that you encountered.
>
> Cheers,
>
>
>
>
> --- On *Sun, 11/9/08, Jason Madsen <madsen.jason@gmail.com>* wrote:
>
> From: Jason Madsen <madsen.jason@gmail.com>
> Subject: TFTP Not Working W CBAC for some reason
> To: "Cisco certification" <ccielab@groupstudy.com>
> Date: Sunday, November 9, 2008, 9:29 AM
>
> Hello All,
>
> ...quick question. There are quite a lot of CBAC options available to use,
> but overall it's a pretty straightforward technology...at least that's
> what
> I've always thought and experienced until now. For whatever reason(s) CBAC
> doesn't seem to be allowing me to tftp. Here's the basic config' I
> was
> using:
>
> *R1:*
>
> tftp-server flash:test.txt
>
> int f0/0
> desc link to R0
> ip add 1.1.1.2 255.255.255.252
>
> *R0:*
>
> int f0/0
> desc link to R1
> ip add 1.1.1.1 255.255.255.252
> ip access-group 100 in
> ip inspect TEST out
>
> access-list 100 deny ip any any
>
> ip inspect name TEST tcp router-traffic
> ip inspect name TEST telnet
> ip inspect name TEST tftp
> ip inspect name TEST udp router-traffic
> ip inspect name TEST icmp router-traffic
>
>
>
> I am successfully able to telnet and ping to R1, but I can't get a file via
> tftp. i'm able to get a file via tftp just fine when ACL 100 is removed,
> but I can't seem to get CBAC make an opening for it. I do know that tftp
> uses UDP (port 69) and i am using dynamips. do you think it's possible
> that
> dynamips is too slow for CBAC to work with its default timers and such?
> doesn't seem like it has anything to do with it to me...without ACL 100
> applied, the file seems to transfer across very quickly.
>
>
> debug ip inspect detail output when trying to tftp:
>
> R0(config)#do copy tftp flash
> Address or name of remote host [1.1.1.2]?
> Source filename [test.txt]?
> Destination filename [test.txt]?
> Accessing tftp://1.1.1.2/test.txt...
> *Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
> src_addr:1
> .1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
> %Error opening tftp://1.1.1.2/test.txt (Timed out)
>
> Here's an attempt with ACL 100 removed to validate tftp functionality:
>
> R0(config-if)#do copy tftp flash
> Address or name of remote host [1.1.1.2]?
> Source filename [test.txt]?
> Destination filename [test.txt]?
> Accessing tftp://1.1.1.2/test.txt...
> Erase flash: before copying? [confirm]
> Erasing the flash filesystem will remove all files! Continue? [confirm]
> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
> Erase of flash: complete
> Loading test.txt from 1.1.1.2
> (via FastEthernet0/0): !
> [OK - 1670 bytes]
>
> Verifying checksum... OK (0x535)
> 1670 bytes copied in 1.356 secs (1232 bytes/sec)
> R0(config-if)#
>
>
> any ideas?
>
> Thanks,
> Jason
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST