Re: TFTP Not Working W CBAC for some reason

From: Jason Madsen (madsen.jason@gmail.com)
Date: Sun Nov 09 2008 - 00:04:58 ARST

• Next message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Previous message: Dale Shaw: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Next in thread: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Bob,

Actually, only my first topology had "router-traffic" specified. I too
thought that I'd be able to do local requests / initiate traffic locally,
but it didn't work. I just added it to this new topology to test it again
since you mentioned it, and it still doesn't seem to work. Since in my new
topology "inspect" is applied on my downstream interface, I tried applying
it on my upstream interface, re-applying the "router-traffic" command, and
tried to tftp, but with no success.

Thanks,
Jason

On Sat, Nov 8, 2008 at 6:48 PM, Bob Sinclair <bob@bobsinclair.net> wrote:

> Jason,
>
> A kind friend pointed out to me offline that your "ip inspect name TEST udp
> router-traffic" command should allow tftp as an endpoint on the inspecting
> router. It is not working for me though. Can you TFTP from or to the
> inpecting router now?
>
> Thanks,
>
> -bob
>
> Jason Madsen wrote:
>
> Bob, you were right. In my initial setup I was trying to tftp from the CBAC
> router itself. With the new topology that I'm using I'm actually going
> through the CBAC router this time, but I forgot to enable my tftp server
> this time :-) I had it enabled the first time, hence being able to tftp
> without my ACL etc.
>
> Thanks,
> Jason
>
> On Sat, Nov 8, 2008 at 6:33 PM, Jason Madsen <madsen.jason@gmail.com> <madsen.jason@gmail.com> wrote:
>
>
>
> very weird. my current topology is one in which i too am trying to pass
> tftp THROUGH my CBAC router and not from it. are you using "real" routers
> or dynamips too? maybe dynamips is too slow for this with the default
> timers. I'll try modifying them next. anyway, here are my 3 current
> router config's if anyone is interested.
>
> (topology is R0 (with test.txt) --> R1 (with CBAC) -- R2 (trying to tftp to
> R0)
>
> R0#sho run
> Building configuration...
>
> Current configuration : 827 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R0
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> resource policy
> !
> memory-size iomem 5
> !
> !
> ip cef
> no ip domain lookup
> !
> interface Loopback0
> ip address 100.100.100.100 255.255.255.255
> !
> interface FastEthernet0/0
> ip address 1.1.1.10 255.255.255.0
> duplex auto
> speed auto
> !
> router eigrp 1
> network 1.1.1.10 0.0.0.0
> network 100.100.100.100 0.0.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> ip http path flash:
> !
> !
> !
> !
> !
> !
> control-plane
> !
> alias exec s sho ip int brie
> alias exec sir sho ip route
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> line aux 0
> line vty 0 4
> password cisco
> login
> !
> !
> end
>
>
> R1#sho run
> Building configuration...
>
> Current configuration : 1313 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R1
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> resource policy
> !
> memory-size iomem 5
> !
> !
> ip cef
> no ip domain lookup
> !
> ip inspect name TEST tcp alert on audit-trail on
> ip inspect name TEST udp alert on audit-trail on
> ip inspect name TEST telnet alert on audit-trail on
> ip inspect name TEST icmp alert on audit-trail on
> ip inspect name TEST tftp alert on audit-trail on
> ip inspect name TEST http alert on audit-trail on
> !
> !
> !
> interface Loopback0
> ip address 200.200.200.200 255.255.255.255
> !
> interface FastEthernet0/0
> ip address 1.1.1.11 255.255.255.0
> ip access-group 100 in
> duplex auto
> speed auto
> !
> interface FastEthernet1/0
> ip address 2.2.2.11 255.255.255.0
> ip inspect TEST in
> duplex auto
> speed auto
> !
> router eigrp 1
> network 1.1.1.11 0.0.0.0
> network 2.2.2.11 0.0.0.0
> network 200.200.200.200 0.0.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> !
> !
> !
> access-list 100 permit eigrp any any
> access-list 100 deny ip any any
> !
> !
> !
> control-plane
> !
> !
> !
> alias exec s sho ip int brie
> alias exec sir sho ip route
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> line aux 0
> line vty 0 4
> !
> !
> end
>
> R2#sho run
> Building configuration...
>
> Current configuration : 812 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R2
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> resource policy
> !
> memory-size iomem 5
> !
> !
> ip cef
> no ip domain lookup
> !
> interface Loopback0
> ip address 150.150.150.150 255.255.255.255
> !
> interface FastEthernet0/0
> ip address 2.2.2.12 255.255.255.0
> ip helper-address 1.1.1.10
> duplex auto
> speed auto
> !
> router eigrp 1
> network 2.2.2.12 0.0.0.0
> network 150.150.150.150 0.0.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> alias exec s sho ip int brie
> alias exec sir sho ip route
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> line aux 0
> line vty 0 4
> !
> !
> end
>
> R2#
>
>
>
> On Sat, Nov 8, 2008 at 6:25 PM, Bob Sinclair <bob@bobsinclair.net> <bob@bobsinclair.net> wrote:
>
>
>
> Jason,
>
> I copied your ACL and inspect into my routers. I can tftp THROUGH the
> inspecting box, but not from it. Maybe a typo? I am running
> 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(21)
>
>
>
> HTH,
>
> Bob Sinclair CCIE 10427 CCSI 30427www.netmasterclass.net
>
>
> Jason Madsen wrote:
>
> I'm starting to think that TFTP needs to be permitted in the outside inbound
> ACL as well. I can't really see much use in CBAC TFTP usefulness if this is
> the case though.
>
> Jason
>
> On Sat, Nov 8, 2008 at 6:14 PM, Jason Madsen <madsen.jason@gmail.com> <madsen.jason@gmail.com> <madsen.jason@gmail.com> <madsen.jason@gmail.com> wrote:
>
>
>
> BTW, I can transfer files using HTTP too (see below). The only thing that
> won't work for me is TFTP.
>
> Someone in this group must have tried (successfully or unsuccessfully) to
> transfer a file via TFTP across a CBAC link at one time or another...there
> are just too many of us :-)
>
> any ideas?
>
> R2#copy http: flash
> Address or name of remote host [1.1.1.10]?
> Source filename [test.txt]?
> Destination filename [test.txt]?
> Erase flash: before copying? [confirm]
> Erasing the flash filesystem will remove all files! Continue? [confirm]
> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
> Erase of flash: complete
> Loading http://1.1.1.10/test.txt !
> Verifying checksum... OK (0x3CA)
> 868 bytes copied in 1.512 secs (574 bytes/sec)
>
>
> Jason
>
>
> On Sat, Nov 8, 2008 at 6:06 PM, Jason Madsen <madsen.jason@gmail.com> <madsen.jason@gmail.com> <madsen.jason@gmail.com> <madsen.jason@gmail.com>wrote:
>
>
>
> Hi Bob, I'm not sure if that's the case with CBAC or not, but I did try
> extending the topology a bit more and sourced the request from another
> connected device, but had the same exact results. Telnet and ICMP worked
> just fine, but TFTP wouldn't work at all.
>
> Along with my debugs I enabled alerts and auditing and really didn't get
> any more info' that way either.
>
> Thanks,
> Jason
>
>
> On Sat, Nov 8, 2008 at 5:58 PM, Bob Sinclair <bob@bobsinclair.net> <bob@bobsinclair.net> <bob@bobsinclair.net> <bob@bobsinclair.net> wrote:
>
>
>
> Jason,
>
> I looks to me like you are generating traffic from the device that is
> doing the inspecting. I do not believe that CBAC can inspect connections
> that terminate on the router; they must go through the router. Try tftp
> from a device "inside" R0.
>
> HTH,
>
> -Bob Sinclair CCIE 10427 CCSI 30427www.netmasterclass.net
>
>
>
> Jason Madsen wrote:
>
>
>
> Hello All,
>
> ...quick question. There are quite a lot of CBAC options available to
> use,
> but overall it's a pretty straightforward technology...at least that's
> what
> I've always thought and experienced until now. For whatever reason(s)
> CBAC
> doesn't seem to be allowing me to tftp. Here's the basic config' I was
> using:
>
> *R1:*
>
> tftp-server flash:test.txt
>
> int f0/0
> desc link to R0
> ip add 1.1.1.2 255.255.255.252
>
> *R0:*
>
> int f0/0
> desc link to R1
> ip add 1.1.1.1 255.255.255.252
> ip access-group 100 in
> ip inspect TEST out
>
> access-list 100 deny ip any any
>
> ip inspect name TEST tcp router-traffic
> ip inspect name TEST telnet
> ip inspect name TEST tftp
> ip inspect name TEST udp router-traffic
> ip inspect name TEST icmp router-traffic
>
>
>
> I am successfully able to telnet and ping to R1, but I can't get a file
> via
> tftp. i'm able to get a file via tftp just fine when ACL 100 is
> removed,
> but I can't seem to get CBAC make an opening for it. I do know that
> tftp
> uses UDP (port 69) and i am using dynamips. do you think it's possible
> that
> dynamips is too slow for CBAC to work with its default timers and such?
> doesn't seem like it has anything to do with it to me...without ACL 100
> applied, the file seems to transfer across very quickly.
>
>
> debug ip inspect detail output when trying to tftp:
>
> R0(config)#do copy tftp flash
> Address or name of remote host [1.1.1.2]?
> Source filename [test.txt]?
> Destination filename [test.txt]?
> Accessing tftp://1.1.1.2/test.txt...
> *Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
> src_addr:1
> .1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
> %Error opening tftp://1.1.1.2/test.txt (Timed out)
>
> Here's an attempt with ACL 100 removed to validate tftp functionality:
>
> R0(config-if)#do copy tftp flash
> Address or name of remote host [1.1.1.2]?
> Source filename [test.txt]?
> Destination filename [test.txt]?
> Accessing tftp://1.1.1.2/test.txt...
> Erase flash: before copying? [confirm]
> Erasing the flash filesystem will remove all files! Continue? [confirm]
> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
> Erase of flash: complete
> Loading test.txt from 1.1.1.2 (via FastEthernet0/0): !
> [OK - 1670 bytes]
>
> Verifying checksum... OK (0x535)
> 1670 bytes copied in 1.356 secs (1232 bytes/sec)
> R0(config-if)#
>
>
> any ideas?
>
> Thanks,
> Jason
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:http://www.groupstudy.com/list/CCIELab.html
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Previous message: Dale Shaw: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Next in thread: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST