From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Nov 08 2008 - 23:45:40 ARST
why wouldn't CBAC allow for me to tftp from the CBAC router in my first
topology though? I know my current configurations wouldn't work that way
because I have my ACL and my inspect application on two different
interfaces, but in my first example I had them both on the one outside
interface? I even had a session when I did "sho ip inspec ses"...just no
tftp transfer.
Thanks,
Jason
On Sat, Nov 8, 2008 at 6:41 PM, Jason Madsen <madsen.jason@gmail.com> wrote:
> that must be one of those "rabbit holes" that people refer to during the
> lab exam. I can't believe how much time I spent even though it was a
> technology that I'm actually familiar with. at least one good thing about
> this really sucking is that I won't readily forget "the little things"
> involved in this scenario.
>
> Thanks,
> Jason
>
>
> On Sat, Nov 8, 2008 at 6:38 PM, Jason Madsen <madsen.jason@gmail.com>wrote:
>
>> Bob, you were right. In my initial setup I was trying to tftp from the
>> CBAC router itself. With the new topology that I'm using I'm actually going
>> through the CBAC router this time, but I forgot to enable my tftp server
>> this time :-) I had it enabled the first time, hence being able to tftp
>> without my ACL etc.
>>
>> Thanks,
>> Jason
>>
>>
>> On Sat, Nov 8, 2008 at 6:33 PM, Jason Madsen <madsen.jason@gmail.com>wrote:
>>
>>> very weird. my current topology is one in which i too am trying to pass
>>> tftp THROUGH my CBAC router and not from it. are you using "real" routers
>>> or dynamips too? maybe dynamips is too slow for this with the default
>>> timers. I'll try modifying them next. anyway, here are my 3 current
>>> router config's if anyone is interested.
>>>
>>> (topology is R0 (with test.txt) --> R1 (with CBAC) -- R2 (trying to tftp
>>> to R0)
>>>
>>> R0#sho run
>>> Building configuration...
>>>
>>> Current configuration : 827 bytes
>>> !
>>> version 12.4
>>> service timestamps debug datetime msec
>>> service timestamps log datetime msec
>>> no service password-encryption
>>> !
>>> hostname R0
>>> !
>>> boot-start-marker
>>> boot-end-marker
>>> !
>>> !
>>> no aaa new-model
>>> !
>>> resource policy
>>> !
>>> memory-size iomem 5
>>> !
>>> !
>>> ip cef
>>> no ip domain lookup
>>> !
>>> interface Loopback0
>>> ip address 100.100.100.100 255.255.255.255
>>> !
>>> interface FastEthernet0/0
>>> ip address 1.1.1.10 255.255.255.0
>>> duplex auto
>>> speed auto
>>> !
>>> router eigrp 1
>>> network 1.1.1.10 0.0.0.0
>>> network 100.100.100.100 0.0.0.0
>>> no auto-summary
>>> !
>>> ip http server
>>> no ip http secure-server
>>> ip http path flash:
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> control-plane
>>> !
>>> alias exec s sho ip int brie
>>> alias exec sir sho ip route
>>> !
>>> line con 0
>>> exec-timeout 0 0
>>> logging synchronous
>>> line aux 0
>>> line vty 0 4
>>> password cisco
>>> login
>>> !
>>> !
>>> end
>>>
>>>
>>> R1#sho run
>>> Building configuration...
>>>
>>> Current configuration : 1313 bytes
>>> !
>>> version 12.4
>>> service timestamps debug datetime msec
>>> service timestamps log datetime msec
>>> no service password-encryption
>>> !
>>> hostname R1
>>> !
>>> boot-start-marker
>>> boot-end-marker
>>> !
>>> !
>>> no aaa new-model
>>> !
>>> resource policy
>>> !
>>> memory-size iomem 5
>>> !
>>> !
>>> ip cef
>>> no ip domain lookup
>>> !
>>> ip inspect name TEST tcp alert on audit-trail on
>>> ip inspect name TEST udp alert on audit-trail on
>>> ip inspect name TEST telnet alert on audit-trail on
>>> ip inspect name TEST icmp alert on audit-trail on
>>> ip inspect name TEST tftp alert on audit-trail on
>>> ip inspect name TEST http alert on audit-trail on
>>> !
>>> !
>>> !
>>> interface Loopback0
>>> ip address 200.200.200.200 255.255.255.255
>>> !
>>> interface FastEthernet0/0
>>> ip address 1.1.1.11 255.255.255.0
>>> ip access-group 100 in
>>> duplex auto
>>> speed auto
>>> !
>>> interface FastEthernet1/0
>>> ip address 2.2.2.11 255.255.255.0
>>> ip inspect TEST in
>>> duplex auto
>>> speed auto
>>> !
>>> router eigrp 1
>>> network 1.1.1.11 0.0.0.0
>>> network 2.2.2.11 0.0.0.0
>>> network 200.200.200.200 0.0.0.0
>>> no auto-summary
>>> !
>>> ip http server
>>> no ip http secure-server
>>> !
>>> !
>>> !
>>> access-list 100 permit eigrp any any
>>> access-list 100 deny ip any any
>>> !
>>> !
>>> !
>>> control-plane
>>> !
>>> !
>>> !
>>> alias exec s sho ip int brie
>>> alias exec sir sho ip route
>>> !
>>> line con 0
>>> exec-timeout 0 0
>>> logging synchronous
>>> line aux 0
>>> line vty 0 4
>>> !
>>> !
>>> end
>>>
>>> R2#sho run
>>> Building configuration...
>>>
>>> Current configuration : 812 bytes
>>> !
>>> version 12.4
>>> service timestamps debug datetime msec
>>> service timestamps log datetime msec
>>> no service password-encryption
>>> !
>>> hostname R2
>>> !
>>> boot-start-marker
>>> boot-end-marker
>>> !
>>> !
>>> no aaa new-model
>>> !
>>> resource policy
>>> !
>>> memory-size iomem 5
>>> !
>>> !
>>> ip cef
>>> no ip domain lookup
>>> !
>>> interface Loopback0
>>> ip address 150.150.150.150 255.255.255.255
>>> !
>>> interface FastEthernet0/0
>>> ip address 2.2.2.12 255.255.255.0
>>> ip helper-address 1.1.1.10
>>> duplex auto
>>> speed auto
>>> !
>>> router eigrp 1
>>> network 2.2.2.12 0.0.0.0
>>> network 150.150.150.150 0.0.0.0
>>> no auto-summary
>>> !
>>> ip http server
>>> no ip http secure-server
>>> !
>>> control-plane
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> alias exec s sho ip int brie
>>> alias exec sir sho ip route
>>> !
>>> line con 0
>>> exec-timeout 0 0
>>> logging synchronous
>>> line aux 0
>>> line vty 0 4
>>> !
>>> !
>>> end
>>>
>>> R2#
>>>
>>>
>>>
>>> On Sat, Nov 8, 2008 at 6:25 PM, Bob Sinclair <bob@bobsinclair.net>wrote:
>>>
>>>> Jason,
>>>>
>>>> I copied your ACL and inspect into my routers. I can tftp THROUGH the
>>>> inspecting box, but not from it. Maybe a typo? I am running
>>>> 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(21)
>>>>
>>>>
>>>>
>>>> HTH,
>>>>
>>>> Bob Sinclair CCIE 10427 CCSI 30427
>>>> www.netmasterclass.net
>>>>
>>>> Jason Madsen wrote:
>>>>
>>>> I'm starting to think that TFTP needs to be permitted in the outside inbound
>>>> ACL as well. I can't really see much use in CBAC TFTP usefulness if this is
>>>> the case though.
>>>>
>>>> Jason
>>>>
>>>> On Sat, Nov 8, 2008 at 6:14 PM, Jason Madsen <madsen.jason@gmail.com> <madsen.jason@gmail.com> wrote:
>>>>
>>>>
>>>>
>>>> BTW, I can transfer files using HTTP too (see below). The only thing that
>>>> won't work for me is TFTP.
>>>>
>>>> Someone in this group must have tried (successfully or unsuccessfully) to
>>>> transfer a file via TFTP across a CBAC link at one time or another...there
>>>> are just too many of us :-)
>>>>
>>>> any ideas?
>>>>
>>>> R2#copy http: flash
>>>> Address or name of remote host [1.1.1.10]?
>>>> Source filename [test.txt]?
>>>> Destination filename [test.txt]?
>>>> Erase flash: before copying? [confirm]
>>>> Erasing the flash filesystem will remove all files! Continue? [confirm]
>>>> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
>>>> Erase of flash: complete
>>>> Loading http://1.1.1.10/test.txt !
>>>> Verifying checksum... OK (0x3CA)
>>>> 868 bytes copied in 1.512 secs (574 bytes/sec)
>>>>
>>>>
>>>> Jason
>>>>
>>>>
>>>> On Sat, Nov 8, 2008 at 6:06 PM, Jason Madsen <madsen.jason@gmail.com> <madsen.jason@gmail.com>wrote:
>>>>
>>>>
>>>>
>>>> Hi Bob, I'm not sure if that's the case with CBAC or not, but I did try
>>>> extending the topology a bit more and sourced the request from another
>>>> connected device, but had the same exact results. Telnet and ICMP worked
>>>> just fine, but TFTP wouldn't work at all.
>>>>
>>>> Along with my debugs I enabled alerts and auditing and really didn't get
>>>> any more info' that way either.
>>>>
>>>> Thanks,
>>>> Jason
>>>>
>>>>
>>>> On Sat, Nov 8, 2008 at 5:58 PM, Bob Sinclair <bob@bobsinclair.net> <bob@bobsinclair.net> wrote:
>>>>
>>>>
>>>>
>>>> Jason,
>>>>
>>>> I looks to me like you are generating traffic from the device that is
>>>> doing the inspecting. I do not believe that CBAC can inspect connections
>>>> that terminate on the router; they must go through the router. Try tftp
>>>> from a device "inside" R0.
>>>>
>>>> HTH,
>>>>
>>>> -Bob Sinclair CCIE 10427 CCSI 30427www.netmasterclass.net
>>>>
>>>>
>>>> Jason Madsen wrote:
>>>>
>>>>
>>>>
>>>> Hello All,
>>>>
>>>> ...quick question. There are quite a lot of CBAC options available to
>>>> use,
>>>> but overall it's a pretty straightforward technology...at least that's
>>>> what
>>>> I've always thought and experienced until now. For whatever reason(s)
>>>> CBAC
>>>> doesn't seem to be allowing me to tftp. Here's the basic config' I was
>>>> using:
>>>>
>>>> *R1:*
>>>>
>>>> tftp-server flash:test.txt
>>>>
>>>> int f0/0
>>>> desc link to R0
>>>> ip add 1.1.1.2 255.255.255.252
>>>>
>>>> *R0:*
>>>>
>>>> int f0/0
>>>> desc link to R1
>>>> ip add 1.1.1.1 255.255.255.252
>>>> ip access-group 100 in
>>>> ip inspect TEST out
>>>>
>>>> access-list 100 deny ip any any
>>>>
>>>> ip inspect name TEST tcp router-traffic
>>>> ip inspect name TEST telnet
>>>> ip inspect name TEST tftp
>>>> ip inspect name TEST udp router-traffic
>>>> ip inspect name TEST icmp router-traffic
>>>>
>>>>
>>>>
>>>> I am successfully able to telnet and ping to R1, but I can't get a file
>>>> via
>>>> tftp. i'm able to get a file via tftp just fine when ACL 100 is
>>>> removed,
>>>> but I can't seem to get CBAC make an opening for it. I do know that
>>>> tftp
>>>> uses UDP (port 69) and i am using dynamips. do you think it's possible
>>>> that
>>>> dynamips is too slow for CBAC to work with its default timers and such?
>>>> doesn't seem like it has anything to do with it to me...without ACL 100
>>>> applied, the file seems to transfer across very quickly.
>>>>
>>>>
>>>> debug ip inspect detail output when trying to tftp:
>>>>
>>>> R0(config)#do copy tftp flash
>>>> Address or name of remote host [1.1.1.2]?
>>>> Source filename [test.txt]?
>>>> Destination filename [test.txt]?
>>>> Accessing tftp://1.1.1.2/test.txt...
>>>> *Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
>>>> src_addr:1
>>>> .1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
>>>> %Error opening tftp://1.1.1.2/test.txt (Timed out)
>>>>
>>>> Here's an attempt with ACL 100 removed to validate tftp functionality:
>>>>
>>>> R0(config-if)#do copy tftp flash
>>>> Address or name of remote host [1.1.1.2]?
>>>> Source filename [test.txt]?
>>>> Destination filename [test.txt]?
>>>> Accessing tftp://1.1.1.2/test.txt...
>>>> Erase flash: before copying? [confirm]
>>>> Erasing the flash filesystem will remove all files! Continue? [confirm]
>>>> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
>>>> Erase of flash: complete
>>>> Loading test.txt from 1.1.1.2 (via FastEthernet0/0): !
>>>> [OK - 1670 bytes]
>>>>
>>>> Verifying checksum... OK (0x535)
>>>> 1670 bytes copied in 1.356 secs (1232 bytes/sec)
>>>> R0(config-if)#
>>>>
>>>>
>>>> any ideas?
>>>>
>>>> Thanks,
>>>> Jason
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST