From: Bob Sinclair (bob@bobsinclair.net)
Date: Sat Nov 08 2008 - 23:48:07 ARST
Jason,
A kind friend pointed out to me offline that your "ip inspect name TEST
udp router-traffic" command should allow tftp as an endpoint on the
inspecting router. It is not working for me though. Can you TFTP from
or to the inpecting router now?
Thanks,
-bob
Jason Madsen wrote:
Bob, you were right. In my initial setup I was trying to tftp from the CBAC
router itself. With the new topology that I'm using I'm actually going
through the CBAC router this time, but I forgot to enable my tftp server
this time :-) I had it enabled the first time, hence being able to tftp
without my ACL etc.
Thanks,
Jason
On Sat, Nov 8, 2008 at 6:33 PM, Jason Madsen <madsen.jason@gmail.com> wrote:
very weird. my current topology is one in which i too am trying to pass
tftp THROUGH my CBAC router and not from it. are you using "real" routers
or dynamips too? maybe dynamips is too slow for this with the default
timers. I'll try modifying them next. anyway, here are my 3 current
router config's if anyone is interested.
(topology is R0 (with test.txt) --> R1 (with CBAC) -- R2 (trying to tftp to
R0)
R0#sho run
Building configuration...
Current configuration : 827 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R0
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
interface Loopback0
ip address 100.100.100.100 255.255.255.255
!
interface FastEthernet0/0
ip address 1.1.1.10 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 1.1.1.10 0.0.0.0
network 100.100.100.100 0.0.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip http path flash:
!
!
!
!
!
!
control-plane
!
alias exec s sho ip int brie
alias exec sir sho ip route
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password cisco
login
!
!
end
R1#sho run
Building configuration...
Current configuration : 1313 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
ip inspect name TEST tcp alert on audit-trail on
ip inspect name TEST udp alert on audit-trail on
ip inspect name TEST telnet alert on audit-trail on
ip inspect name TEST icmp alert on audit-trail on
ip inspect name TEST tftp alert on audit-trail on
ip inspect name TEST http alert on audit-trail on
!
!
!
interface Loopback0
ip address 200.200.200.200 255.255.255.255
!
interface FastEthernet0/0
ip address 1.1.1.11 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 2.2.2.11 255.255.255.0
ip inspect TEST in
duplex auto
speed auto
!
router eigrp 1
network 1.1.1.11 0.0.0.0
network 2.2.2.11 0.0.0.0
network 200.200.200.200 0.0.0.0
no auto-summary
!
ip http server
no ip http secure-server
!
!
!
access-list 100 permit eigrp any any
access-list 100 deny ip any any
!
!
!
control-plane
!
!
!
alias exec s sho ip int brie
alias exec sir sho ip route
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
R2#sho run
Building configuration...
Current configuration : 812 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
interface Loopback0
ip address 150.150.150.150 255.255.255.255
!
interface FastEthernet0/0
ip address 2.2.2.12 255.255.255.0
ip helper-address 1.1.1.10
duplex auto
speed auto
!
router eigrp 1
network 2.2.2.12 0.0.0.0
network 150.150.150.150 0.0.0.0
no auto-summary
!
ip http server
no ip http secure-server
!
control-plane
!
!
!
!
!
!
!
!
!
alias exec s sho ip int brie
alias exec sir sho ip route
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
R2#
On Sat, Nov 8, 2008 at 6:25 PM, Bob Sinclair <bob@bobsinclair.net> wrote:
Jason,
I copied your ACL and inspect into my routers. I can tftp THROUGH the
inspecting box, but not from it. Maybe a typo? I am running
2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(21)
HTH,
Bob Sinclair CCIE 10427 CCSI 30427 www.netmasterclass.net
Jason Madsen wrote:
I'm starting to think that TFTP needs to be permitted in the outside inbound
ACL as well. I can't really see much use in CBAC TFTP usefulness if this is
the case though.
Jason
On Sat, Nov 8, 2008 at 6:14 PM, Jason Madsen <madsen.jason@gmail.com> <madsen.jason@gmail.com> wrote:
BTW, I can transfer files using HTTP too (see below). The only thing that
won't work for me is TFTP.
Someone in this group must have tried (successfully or unsuccessfully) to
transfer a file via TFTP across a CBAC link at one time or another...there
are just too many of us :-)
any ideas?
R2#copy http: flash
Address or name of remote host [1.1.1.10]?
Source filename [test.txt]?
Destination filename [test.txt]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
Erase of flash: complete
Loading http://1.1.1.10/test.txt !
Verifying checksum... OK (0x3CA)
868 bytes copied in 1.512 secs (574 bytes/sec)
Jason
On Sat, Nov 8, 2008 at 6:06 PM, Jason Madsen <madsen.jason@gmail.com> <madsen.jason@gmail.com> wrote:
Hi Bob, I'm not sure if that's the case with CBAC or not, but I did try
extending the topology a bit more and sourced the request from another
connected device, but had the same exact results. Telnet and ICMP worked
just fine, but TFTP wouldn't work at all.
Along with my debugs I enabled alerts and auditing and really didn't get
any more info' that way either.
Thanks,
Jason
On Sat, Nov 8, 2008 at 5:58 PM, Bob Sinclair <bob@bobsinclair.net> <bob@bobsinclair.net> wrote:
Jason,
I looks to me like you are generating traffic from the device that is
doing the inspecting. I do not believe that CBAC can inspect connections
that terminate on the router; they must go through the router. Try tftp
from a device "inside" R0.
HTH,
-Bob Sinclair CCIE 10427 CCSI 30427www.netmasterclass.net
Jason Madsen wrote:
Hello All,
...quick question. There are quite a lot of CBAC options available to
use,
but overall it's a pretty straightforward technology...at least that's
what
I've always thought and experienced until now. For whatever reason(s)
CBAC
doesn't seem to be allowing me to tftp. Here's the basic config' I was
using:
*R1:*
tftp-server flash:test.txt
int f0/0
desc link to R0
ip add 1.1.1.2 255.255.255.252
*R0:*
int f0/0
desc link to R1
ip add 1.1.1.1 255.255.255.252
ip access-group 100 in
ip inspect TEST out
access-list 100 deny ip any any
ip inspect name TEST tcp router-traffic
ip inspect name TEST telnet
ip inspect name TEST tftp
ip inspect name TEST udp router-traffic
ip inspect name TEST icmp router-traffic
I am successfully able to telnet and ping to R1, but I can't get a file
via
tftp. i'm able to get a file via tftp just fine when ACL 100 is
removed,
but I can't seem to get CBAC make an opening for it. I do know that
tftp
uses UDP (port 69) and i am using dynamips. do you think it's possible
that
dynamips is too slow for CBAC to work with its default timers and such?
doesn't seem like it has anything to do with it to me...without ACL 100
applied, the file seems to transfer across very quickly.
debug ip inspect detail output when trying to tftp:
R0(config)#do copy tftp flash
Address or name of remote host [1.1.1.2]?
Source filename [test.txt]?
Destination filename [test.txt]?
Accessing tftp://1.1.1.2/test.txt...
*Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
src_addr:1
.1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
%Error opening tftp://1.1.1.2/test.txt (Timed out)
Here's an attempt with ACL 100 removed to validate tftp functionality:
R0(config-if)#do copy tftp flash
Address or name of remote host [1.1.1.2]?
Source filename [test.txt]?
Destination filename [test.txt]?
Accessing tftp://1.1.1.2/test.txt...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
Erase of flash: complete
Loading test.txt from 1.1.1.2 (via FastEthernet0/0): !
[OK - 1670 bytes]
Verifying checksum... OK (0x535)
1670 bytes copied in 1.356 secs (1232 bytes/sec)
R0(config-if)#
any ideas?
Thanks,
Jason
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST