From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Nov 08 2008 - 23:18:33 ARST
I'm starting to think that TFTP needs to be permitted in the outside inbound
ACL as well. I can't really see much use in CBAC TFTP usefulness if this is
the case though.
Jason
On Sat, Nov 8, 2008 at 6:14 PM, Jason Madsen <madsen.jason@gmail.com> wrote:
> BTW, I can transfer files using HTTP too (see below). The only thing that
> won't work for me is TFTP.
>
> Someone in this group must have tried (successfully or unsuccessfully) to
> transfer a file via TFTP across a CBAC link at one time or another...there
> are just too many of us :-)
>
> any ideas?
>
> R2#copy http: flash
> Address or name of remote host [1.1.1.10]?
> Source filename [test.txt]?
> Destination filename [test.txt]?
> Erase flash: before copying? [confirm]
> Erasing the flash filesystem will remove all files! Continue? [confirm]
> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
> Erase of flash: complete
> Loading http://1.1.1.10/test.txt !
> Verifying checksum... OK (0x3CA)
> 868 bytes copied in 1.512 secs (574 bytes/sec)
>
>
> Jason
>
>
> On Sat, Nov 8, 2008 at 6:06 PM, Jason Madsen <madsen.jason@gmail.com>wrote:
>
>> Hi Bob, I'm not sure if that's the case with CBAC or not, but I did try
>> extending the topology a bit more and sourced the request from another
>> connected device, but had the same exact results. Telnet and ICMP worked
>> just fine, but TFTP wouldn't work at all.
>>
>> Along with my debugs I enabled alerts and auditing and really didn't get
>> any more info' that way either.
>>
>> Thanks,
>> Jason
>>
>>
>> On Sat, Nov 8, 2008 at 5:58 PM, Bob Sinclair <bob@bobsinclair.net> wrote:
>>
>>> Jason,
>>>
>>> I looks to me like you are generating traffic from the device that is
>>> doing the inspecting. I do not believe that CBAC can inspect connections
>>> that terminate on the router; they must go through the router. Try tftp
>>> from a device "inside" R0.
>>>
>>> HTH,
>>>
>>> -Bob Sinclair CCIE 10427 CCSI 30427
>>> www.netmasterclass.net
>>>
>>>
>>> Jason Madsen wrote:
>>>
>>>> Hello All,
>>>>
>>>> ...quick question. There are quite a lot of CBAC options available to
>>>> use,
>>>> but overall it's a pretty straightforward technology...at least that's
>>>> what
>>>> I've always thought and experienced until now. For whatever reason(s)
>>>> CBAC
>>>> doesn't seem to be allowing me to tftp. Here's the basic config' I was
>>>> using:
>>>>
>>>> *R1:*
>>>>
>>>> tftp-server flash:test.txt
>>>>
>>>> int f0/0
>>>> desc link to R0
>>>> ip add 1.1.1.2 255.255.255.252
>>>>
>>>> *R0:*
>>>>
>>>> int f0/0
>>>> desc link to R1
>>>> ip add 1.1.1.1 255.255.255.252
>>>> ip access-group 100 in
>>>> ip inspect TEST out
>>>>
>>>> access-list 100 deny ip any any
>>>>
>>>> ip inspect name TEST tcp router-traffic
>>>> ip inspect name TEST telnet
>>>> ip inspect name TEST tftp
>>>> ip inspect name TEST udp router-traffic
>>>> ip inspect name TEST icmp router-traffic
>>>>
>>>>
>>>>
>>>> I am successfully able to telnet and ping to R1, but I can't get a file
>>>> via
>>>> tftp. i'm able to get a file via tftp just fine when ACL 100 is
>>>> removed,
>>>> but I can't seem to get CBAC make an opening for it. I do know that
>>>> tftp
>>>> uses UDP (port 69) and i am using dynamips. do you think it's possible
>>>> that
>>>> dynamips is too slow for CBAC to work with its default timers and such?
>>>> doesn't seem like it has anything to do with it to me...without ACL 100
>>>> applied, the file seems to transfer across very quickly.
>>>>
>>>>
>>>> debug ip inspect detail output when trying to tftp:
>>>>
>>>> R0(config)#do copy tftp flash
>>>> Address or name of remote host [1.1.1.2]?
>>>> Source filename [test.txt]?
>>>> Destination filename [test.txt]?
>>>> Accessing tftp://1.1.1.2/test.txt...
>>>> *Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
>>>> src_addr:1
>>>> .1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
>>>> %Error opening tftp://1.1.1.2/test.txt (Timed out)
>>>>
>>>> Here's an attempt with ACL 100 removed to validate tftp functionality:
>>>>
>>>> R0(config-if)#do copy tftp flash
>>>> Address or name of remote host [1.1.1.2]?
>>>> Source filename [test.txt]?
>>>> Destination filename [test.txt]?
>>>> Accessing tftp://1.1.1.2/test.txt...
>>>> Erase flash: before copying? [confirm]
>>>> Erasing the flash filesystem will remove all files! Continue? [confirm]
>>>> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
>>>> Erase of flash: complete
>>>> Loading test.txt from 1.1.1.2 (via FastEthernet0/0): !
>>>> [OK - 1670 bytes]
>>>>
>>>> Verifying checksum... OK (0x535)
>>>> 1670 bytes copied in 1.356 secs (1232 bytes/sec)
>>>> R0(config-if)#
>>>>
>>>>
>>>> any ideas?
>>>>
>>>> Thanks,
>>>> Jason
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST