From: Bob Sinclair (bob@bobsinclair.net)
Date: Sat Nov 08 2008 - 23:25:07 ARST
Jason,
I copied your ACL and inspect into my routers. I can tftp THROUGH the
inspecting box, but not from it. Maybe a typo? I am running
2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(21)
HTH,
Bob Sinclair CCIE 10427 CCSI 30427
www.netmasterclass.net
Jason Madsen wrote:
I'm starting to think that TFTP needs to be permitted in the outside inbound
ACL as well. I can't really see much use in CBAC TFTP usefulness if this is
the case though.
Jason
On Sat, Nov 8, 2008 at 6:14 PM, Jason Madsen <madsen.jason@gmail.com> wrote:
BTW, I can transfer files using HTTP too (see below). The only thing that
won't work for me is TFTP.
Someone in this group must have tried (successfully or unsuccessfully) to
transfer a file via TFTP across a CBAC link at one time or another...there
are just too many of us :-)
any ideas?
R2#copy http: flash
Address or name of remote host [1.1.1.10]?
Source filename [test.txt]?
Destination filename [test.txt]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
Erase of flash: complete
Loading http://1.1.1.10/test.txt !
Verifying checksum... OK (0x3CA)
868 bytes copied in 1.512 secs (574 bytes/sec)
Jason
On Sat, Nov 8, 2008 at 6:06 PM, Jason Madsen <madsen.jason@gmail.com> wrote:
Hi Bob, I'm not sure if that's the case with CBAC or not, but I did try
extending the topology a bit more and sourced the request from another
connected device, but had the same exact results. Telnet and ICMP worked
just fine, but TFTP wouldn't work at all.
Along with my debugs I enabled alerts and auditing and really didn't get
any more info' that way either.
Thanks,
Jason
On Sat, Nov 8, 2008 at 5:58 PM, Bob Sinclair <bob@bobsinclair.net> wrote:
Jason,
I looks to me like you are generating traffic from the device that is
doing the inspecting. I do not believe that CBAC can inspect connections
that terminate on the router; they must go through the router. Try tftp
from a device "inside" R0.
HTH,
-Bob Sinclair CCIE 10427 CCSI 30427 www.netmasterclass.net
Jason Madsen wrote:
Hello All,
...quick question. There are quite a lot of CBAC options available to
use,
but overall it's a pretty straightforward technology...at least that's
what
I've always thought and experienced until now. For whatever reason(s)
CBAC
doesn't seem to be allowing me to tftp. Here's the basic config' I was
using:
*R1:*
tftp-server flash:test.txt
int f0/0
desc link to R0
ip add 1.1.1.2 255.255.255.252
*R0:*
int f0/0
desc link to R1
ip add 1.1.1.1 255.255.255.252
ip access-group 100 in
ip inspect TEST out
access-list 100 deny ip any any
ip inspect name TEST tcp router-traffic
ip inspect name TEST telnet
ip inspect name TEST tftp
ip inspect name TEST udp router-traffic
ip inspect name TEST icmp router-traffic
I am successfully able to telnet and ping to R1, but I can't get a file
via
tftp. i'm able to get a file via tftp just fine when ACL 100 is
removed,
but I can't seem to get CBAC make an opening for it. I do know that
tftp
uses UDP (port 69) and i am using dynamips. do you think it's possible
that
dynamips is too slow for CBAC to work with its default timers and such?
doesn't seem like it has anything to do with it to me...without ACL 100
applied, the file seems to transfer across very quickly.
debug ip inspect detail output when trying to tftp:
R0(config)#do copy tftp flash
Address or name of remote host [1.1.1.2]?
Source filename [test.txt]?
Destination filename [test.txt]?
Accessing tftp://1.1.1.2/test.txt...
*Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
src_addr:1
.1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
%Error opening tftp://1.1.1.2/test.txt (Timed out)
Here's an attempt with ACL 100 removed to validate tftp functionality:
R0(config-if)#do copy tftp flash
Address or name of remote host [1.1.1.2]?
Source filename [test.txt]?
Destination filename [test.txt]?
Accessing tftp://1.1.1.2/test.txt...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
Erase of flash: complete
Loading test.txt from 1.1.1.2 (via FastEthernet0/0): !
[OK - 1670 bytes]
Verifying checksum... OK (0x535)
1670 bytes copied in 1.356 secs (1232 bytes/sec)
R0(config-if)#
any ideas?
Thanks,
Jason
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST