From: Bob Sinclair (bob@bobsinclair.net)
Date: Sun Nov 09 2008 - 00:10:35 ARST
Jason,
When I try to TFTP from the inspecting router it fails, and I get this
output from "debug ip inspect udp"
Nov 8 21:06:11.858: FIREWALL UDP: sis 45C264CC pak 4539FC90 SIS_OPENING
UDP packet (172.110.123.2:54326) => (172.110.123.1:69) datalen 16
Nov 8 21:06:15.858: FIREWALL UDP: sis 45C264CC pak 4539F588 SIS_OPENING
UDP packet (172.110.123.2:54326) => (172.110.123.1:69) datalen 16
It looks to me like the "udp router-traffic" option does not take the
tftp dynamic ports into account
In my case 172.110.123.2 is the source and 123.1 is the tftp destination.
When I tftp THROUGH the inspecting router I get this output from debug
ip inspect tftp:
Nov 8 21:14:42.076: TFTP DATA Channel 45C26C4C state SIS_OPENING
Nov 8 21:14:42.076: TFTP Code : DATA, packet length : 516
Nov 8 21:14:42.080: TFTP DATA Channel 45C26C4C state SIS_OPEN
Nov 8 21:14:42.080: TFTP Code : ACK
But when I tftp FROM the inspecting router I get no response from debug
ip inspect tftp.
It looks to me like the router treats self-generated tftp as if it was
regular UDP, and does not take dynamic ports into account.
-Bob Sinclair CCIE 10427 CCSI 30427
www.netmasterclass.net
Jason Madsen wrote:
> why wouldn't CBAC allow for me to tftp from the CBAC router in my first
> topology though? I know my current configurations wouldn't work that way
> because I have my ACL and my inspect application on two different
> interfaces, but in my first example I had them both on the one outside
> interface? I even had a session when I did "sho ip inspec ses"...just no
> tftp transfer.
>
> Thanks,
> Jason
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST