Re: TFTP Not Working W CBAC for some reason

From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Nov 08 2008 - 23:14:04 ARST

• Next message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Previous message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Next in thread: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

BTW, I can transfer files using HTTP too (see below). The only thing that
won't work for me is TFTP.

Someone in this group must have tried (successfully or unsuccessfully) to
transfer a file via TFTP across a CBAC link at one time or another...there
are just too many of us :-)

any ideas?

R2#copy http: flash
Address or name of remote host [1.1.1.10]?
Source filename [test.txt]?
Destination filename [test.txt]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
Erase of flash: complete
Loading http://1.1.1.10/test.txt !
Verifying checksum... OK (0x3CA)
868 bytes copied in 1.512 secs (574 bytes/sec)

Jason

On Sat, Nov 8, 2008 at 6:06 PM, Jason Madsen <madsen.jason@gmail.com> wrote:

> Hi Bob, I'm not sure if that's the case with CBAC or not, but I did try
> extending the topology a bit more and sourced the request from another
> connected device, but had the same exact results. Telnet and ICMP worked
> just fine, but TFTP wouldn't work at all.
>
> Along with my debugs I enabled alerts and auditing and really didn't get
> any more info' that way either.
>
> Thanks,
> Jason
>
>
> On Sat, Nov 8, 2008 at 5:58 PM, Bob Sinclair <bob@bobsinclair.net> wrote:
>
>> Jason,
>>
>> I looks to me like you are generating traffic from the device that is
>> doing the inspecting. I do not believe that CBAC can inspect connections
>> that terminate on the router; they must go through the router. Try tftp
>> from a device "inside" R0.
>>
>> HTH,
>>
>> -Bob Sinclair CCIE 10427 CCSI 30427
>> www.netmasterclass.net
>>
>>
>> Jason Madsen wrote:
>>
>>> Hello All,
>>>
>>> ...quick question. There are quite a lot of CBAC options available to
>>> use,
>>> but overall it's a pretty straightforward technology...at least that's
>>> what
>>> I've always thought and experienced until now. For whatever reason(s)
>>> CBAC
>>> doesn't seem to be allowing me to tftp. Here's the basic config' I was
>>> using:
>>>
>>> *R1:*
>>>
>>> tftp-server flash:test.txt
>>>
>>> int f0/0
>>> desc link to R0
>>> ip add 1.1.1.2 255.255.255.252
>>>
>>> *R0:*
>>>
>>> int f0/0
>>> desc link to R1
>>> ip add 1.1.1.1 255.255.255.252
>>> ip access-group 100 in
>>> ip inspect TEST out
>>>
>>> access-list 100 deny ip any any
>>>
>>> ip inspect name TEST tcp router-traffic
>>> ip inspect name TEST telnet
>>> ip inspect name TEST tftp
>>> ip inspect name TEST udp router-traffic
>>> ip inspect name TEST icmp router-traffic
>>>
>>>
>>>
>>> I am successfully able to telnet and ping to R1, but I can't get a file
>>> via
>>> tftp. i'm able to get a file via tftp just fine when ACL 100 is removed,
>>> but I can't seem to get CBAC make an opening for it. I do know that tftp
>>> uses UDP (port 69) and i am using dynamips. do you think it's possible
>>> that
>>> dynamips is too slow for CBAC to work with its default timers and such?
>>> doesn't seem like it has anything to do with it to me...without ACL 100
>>> applied, the file seems to transfer across very quickly.
>>>
>>>
>>> debug ip inspect detail output when trying to tftp:
>>>
>>> R0(config)#do copy tftp flash
>>> Address or name of remote host [1.1.1.2]?
>>> Source filename [test.txt]?
>>> Destination filename [test.txt]?
>>> Accessing tftp://1.1.1.2/test.txt...
>>> *Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
>>> src_addr:1
>>> .1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
>>> %Error opening tftp://1.1.1.2/test.txt (Timed out)
>>>
>>> Here's an attempt with ACL 100 removed to validate tftp functionality:
>>>
>>> R0(config-if)#do copy tftp flash
>>> Address or name of remote host [1.1.1.2]?
>>> Source filename [test.txt]?
>>> Destination filename [test.txt]?
>>> Accessing tftp://1.1.1.2/test.txt...
>>> Erase flash: before copying? [confirm]
>>> Erasing the flash filesystem will remove all files! Continue? [confirm]
>>> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
>>> Erase of flash: complete
>>> Loading test.txt from 1.1.1.2 (via FastEthernet0/0): !
>>> [OK - 1670 bytes]
>>>
>>> Verifying checksum... OK (0x535)
>>> 1670 bytes copied in 1.356 secs (1232 bytes/sec)
>>> R0(config-if)#
>>>
>>>
>>> any ideas?
>>>
>>> Thanks,
>>> Jason
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Previous message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Next in thread: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST