From: Bob Sinclair (bob@bobsinclair.net)
Date: Sat Nov 08 2008 - 22:58:48 ARST
Jason,
I looks to me like you are generating traffic from the device that is
doing the inspecting. I do not believe that CBAC can inspect
connections that terminate on the router; they must go through the
router. Try tftp from a device "inside" R0.
HTH,
-Bob Sinclair CCIE 10427 CCSI 30427
www.netmasterclass.net
Jason Madsen wrote:
> Hello All,
>
> ...quick question. There are quite a lot of CBAC options available to use,
> but overall it's a pretty straightforward technology...at least that's what
> I've always thought and experienced until now. For whatever reason(s) CBAC
> doesn't seem to be allowing me to tftp. Here's the basic config' I was
> using:
>
> *R1:*
>
> tftp-server flash:test.txt
>
> int f0/0
> desc link to R0
> ip add 1.1.1.2 255.255.255.252
>
> *R0:*
>
> int f0/0
> desc link to R1
> ip add 1.1.1.1 255.255.255.252
> ip access-group 100 in
> ip inspect TEST out
>
> access-list 100 deny ip any any
>
> ip inspect name TEST tcp router-traffic
> ip inspect name TEST telnet
> ip inspect name TEST tftp
> ip inspect name TEST udp router-traffic
> ip inspect name TEST icmp router-traffic
>
>
>
> I am successfully able to telnet and ping to R1, but I can't get a file via
> tftp. i'm able to get a file via tftp just fine when ACL 100 is removed,
> but I can't seem to get CBAC make an opening for it. I do know that tftp
> uses UDP (port 69) and i am using dynamips. do you think it's possible that
> dynamips is too slow for CBAC to work with its default timers and such?
> doesn't seem like it has anything to do with it to me...without ACL 100
> applied, the file seems to transfer across very quickly.
>
>
> debug ip inspect detail output when trying to tftp:
>
> R0(config)#do copy tftp flash
> Address or name of remote host [1.1.1.2]?
> Source filename [test.txt]?
> Destination filename [test.txt]?
> Accessing tftp://1.1.1.2/test.txt...
> *Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
> src_addr:1
> .1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
> %Error opening tftp://1.1.1.2/test.txt (Timed out)
>
> Here's an attempt with ACL 100 removed to validate tftp functionality:
>
> R0(config-if)#do copy tftp flash
> Address or name of remote host [1.1.1.2]?
> Source filename [test.txt]?
> Destination filename [test.txt]?
> Accessing tftp://1.1.1.2/test.txt...
> Erase flash: before copying? [confirm]
> Erasing the flash filesystem will remove all files! Continue? [confirm]
> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
> Erase of flash: complete
> Loading test.txt from 1.1.1.2 (via FastEthernet0/0): !
> [OK - 1670 bytes]
>
> Verifying checksum... OK (0x535)
> 1670 bytes copied in 1.356 secs (1232 bytes/sec)
> R0(config-if)#
>
>
> any ideas?
>
> Thanks,
> Jason
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST