From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Nov 08 2008 - 23:38:20 ARST
Bob, you were right. In my initial setup I was trying to tftp from the CBAC
router itself. With the new topology that I'm using I'm actually going
through the CBAC router this time, but I forgot to enable my tftp server
this time :-) I had it enabled the first time, hence being able to tftp
without my ACL etc.
Thanks,
Jason
On Sat, Nov 8, 2008 at 6:33 PM, Jason Madsen <madsen.jason@gmail.com> wrote:
> very weird. my current topology is one in which i too am trying to pass
> tftp THROUGH my CBAC router and not from it. are you using "real" routers
> or dynamips too? maybe dynamips is too slow for this with the default
> timers. I'll try modifying them next. anyway, here are my 3 current
> router config's if anyone is interested.
>
> (topology is R0 (with test.txt) --> R1 (with CBAC) -- R2 (trying to tftp to
> R0)
>
> R0#sho run
> Building configuration...
>
> Current configuration : 827 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R0
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> resource policy
> !
> memory-size iomem 5
> !
> !
> ip cef
> no ip domain lookup
> !
> interface Loopback0
> ip address 100.100.100.100 255.255.255.255
> !
> interface FastEthernet0/0
> ip address 1.1.1.10 255.255.255.0
> duplex auto
> speed auto
> !
> router eigrp 1
> network 1.1.1.10 0.0.0.0
> network 100.100.100.100 0.0.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> ip http path flash:
> !
> !
> !
> !
> !
> !
> control-plane
> !
> alias exec s sho ip int brie
> alias exec sir sho ip route
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> line aux 0
> line vty 0 4
> password cisco
> login
> !
> !
> end
>
>
> R1#sho run
> Building configuration...
>
> Current configuration : 1313 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R1
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> resource policy
> !
> memory-size iomem 5
> !
> !
> ip cef
> no ip domain lookup
> !
> ip inspect name TEST tcp alert on audit-trail on
> ip inspect name TEST udp alert on audit-trail on
> ip inspect name TEST telnet alert on audit-trail on
> ip inspect name TEST icmp alert on audit-trail on
> ip inspect name TEST tftp alert on audit-trail on
> ip inspect name TEST http alert on audit-trail on
> !
> !
> !
> interface Loopback0
> ip address 200.200.200.200 255.255.255.255
> !
> interface FastEthernet0/0
> ip address 1.1.1.11 255.255.255.0
> ip access-group 100 in
> duplex auto
> speed auto
> !
> interface FastEthernet1/0
> ip address 2.2.2.11 255.255.255.0
> ip inspect TEST in
> duplex auto
> speed auto
> !
> router eigrp 1
> network 1.1.1.11 0.0.0.0
> network 2.2.2.11 0.0.0.0
> network 200.200.200.200 0.0.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> !
> !
> !
> access-list 100 permit eigrp any any
> access-list 100 deny ip any any
> !
> !
> !
> control-plane
> !
> !
> !
> alias exec s sho ip int brie
> alias exec sir sho ip route
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> line aux 0
> line vty 0 4
> !
> !
> end
>
> R2#sho run
> Building configuration...
>
> Current configuration : 812 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R2
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> resource policy
> !
> memory-size iomem 5
> !
> !
> ip cef
> no ip domain lookup
> !
> interface Loopback0
> ip address 150.150.150.150 255.255.255.255
> !
> interface FastEthernet0/0
> ip address 2.2.2.12 255.255.255.0
> ip helper-address 1.1.1.10
> duplex auto
> speed auto
> !
> router eigrp 1
> network 2.2.2.12 0.0.0.0
> network 150.150.150.150 0.0.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> alias exec s sho ip int brie
> alias exec sir sho ip route
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> line aux 0
> line vty 0 4
> !
> !
> end
>
> R2#
>
>
>
> On Sat, Nov 8, 2008 at 6:25 PM, Bob Sinclair <bob@bobsinclair.net> wrote:
>
>> Jason,
>>
>> I copied your ACL and inspect into my routers. I can tftp THROUGH the
>> inspecting box, but not from it. Maybe a typo? I am running
>> 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(21)
>>
>>
>>
>> HTH,
>>
>> Bob Sinclair CCIE 10427 CCSI 30427
>> www.netmasterclass.net
>>
>> Jason Madsen wrote:
>>
>> I'm starting to think that TFTP needs to be permitted in the outside inbound
>> ACL as well. I can't really see much use in CBAC TFTP usefulness if this is
>> the case though.
>>
>> Jason
>>
>> On Sat, Nov 8, 2008 at 6:14 PM, Jason Madsen <madsen.jason@gmail.com> <madsen.jason@gmail.com> wrote:
>>
>>
>>
>> BTW, I can transfer files using HTTP too (see below). The only thing that
>> won't work for me is TFTP.
>>
>> Someone in this group must have tried (successfully or unsuccessfully) to
>> transfer a file via TFTP across a CBAC link at one time or another...there
>> are just too many of us :-)
>>
>> any ideas?
>>
>> R2#copy http: flash
>> Address or name of remote host [1.1.1.10]?
>> Source filename [test.txt]?
>> Destination filename [test.txt]?
>> Erase flash: before copying? [confirm]
>> Erasing the flash filesystem will remove all files! Continue? [confirm]
>> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
>> Erase of flash: complete
>> Loading http://1.1.1.10/test.txt !
>> Verifying checksum... OK (0x3CA)
>> 868 bytes copied in 1.512 secs (574 bytes/sec)
>>
>>
>> Jason
>>
>>
>> On Sat, Nov 8, 2008 at 6:06 PM, Jason Madsen <madsen.jason@gmail.com> <madsen.jason@gmail.com>wrote:
>>
>>
>>
>> Hi Bob, I'm not sure if that's the case with CBAC or not, but I did try
>> extending the topology a bit more and sourced the request from another
>> connected device, but had the same exact results. Telnet and ICMP worked
>> just fine, but TFTP wouldn't work at all.
>>
>> Along with my debugs I enabled alerts and auditing and really didn't get
>> any more info' that way either.
>>
>> Thanks,
>> Jason
>>
>>
>> On Sat, Nov 8, 2008 at 5:58 PM, Bob Sinclair <bob@bobsinclair.net> <bob@bobsinclair.net> wrote:
>>
>>
>>
>> Jason,
>>
>> I looks to me like you are generating traffic from the device that is
>> doing the inspecting. I do not believe that CBAC can inspect connections
>> that terminate on the router; they must go through the router. Try tftp
>> from a device "inside" R0.
>>
>> HTH,
>>
>> -Bob Sinclair CCIE 10427 CCSI 30427www.netmasterclass.net
>>
>>
>> Jason Madsen wrote:
>>
>>
>>
>> Hello All,
>>
>> ...quick question. There are quite a lot of CBAC options available to
>> use,
>> but overall it's a pretty straightforward technology...at least that's
>> what
>> I've always thought and experienced until now. For whatever reason(s)
>> CBAC
>> doesn't seem to be allowing me to tftp. Here's the basic config' I was
>> using:
>>
>> *R1:*
>>
>> tftp-server flash:test.txt
>>
>> int f0/0
>> desc link to R0
>> ip add 1.1.1.2 255.255.255.252
>>
>> *R0:*
>>
>> int f0/0
>> desc link to R1
>> ip add 1.1.1.1 255.255.255.252
>> ip access-group 100 in
>> ip inspect TEST out
>>
>> access-list 100 deny ip any any
>>
>> ip inspect name TEST tcp router-traffic
>> ip inspect name TEST telnet
>> ip inspect name TEST tftp
>> ip inspect name TEST udp router-traffic
>> ip inspect name TEST icmp router-traffic
>>
>>
>>
>> I am successfully able to telnet and ping to R1, but I can't get a file
>> via
>> tftp. i'm able to get a file via tftp just fine when ACL 100 is
>> removed,
>> but I can't seem to get CBAC make an opening for it. I do know that
>> tftp
>> uses UDP (port 69) and i am using dynamips. do you think it's possible
>> that
>> dynamips is too slow for CBAC to work with its default timers and such?
>> doesn't seem like it has anything to do with it to me...without ACL 100
>> applied, the file seems to transfer across very quickly.
>>
>>
>> debug ip inspect detail output when trying to tftp:
>>
>> R0(config)#do copy tftp flash
>> Address or name of remote host [1.1.1.2]?
>> Source filename [test.txt]?
>> Destination filename [test.txt]?
>> Accessing tftp://1.1.1.2/test.txt...
>> *Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
>> src_addr:1
>> .1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
>> %Error opening tftp://1.1.1.2/test.txt (Timed out)
>>
>> Here's an attempt with ACL 100 removed to validate tftp functionality:
>>
>> R0(config-if)#do copy tftp flash
>> Address or name of remote host [1.1.1.2]?
>> Source filename [test.txt]?
>> Destination filename [test.txt]?
>> Accessing tftp://1.1.1.2/test.txt...
>> Erase flash: before copying? [confirm]
>> Erasing the flash filesystem will remove all files! Continue? [confirm]
>> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
>> Erase of flash: complete
>> Loading test.txt from 1.1.1.2 (via FastEthernet0/0): !
>> [OK - 1670 bytes]
>>
>> Verifying checksum... OK (0x535)
>> 1670 bytes copied in 1.356 secs (1232 bytes/sec)
>> R0(config-if)#
>>
>>
>> any ideas?
>>
>> Thanks,
>> Jason
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST