Re: TFTP Not Working W CBAC for some reason

From: Jason Madsen (madsen.jason@gmail.com)
Date: Sun Nov 09 2008 - 00:18:13 ARST

• Next message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Previous message: Bob Sinclair: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Next in thread: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Bob,

Yep, you're right. I can telnet from the inspecting router, but not tftp.
I thought it might only be a UDP thing or more specifically a TFTP thing,
but I can't transfer from the inspecting router via HTTP either. I can
THROUGH it though. I guess CBAC has its quirks when trying to initiate
traffic / requests from the inspecting router. I will definitely have to
keep that in mind with any designs...especially in a lab.

Thanks for all of your help,
Jason

On Sat, Nov 8, 2008 at 7:10 PM, Bob Sinclair <bob@bobsinclair.net> wrote:

> Jason,
>
> When I try to TFTP from the inspecting router it fails, and I get this
> output from "debug ip inspect udp"
>
> Nov 8 21:06:11.858: FIREWALL UDP: sis 45C264CC pak 4539FC90 SIS_OPENING
> UDP packet (172.110.123.2:54326) => (172.110.123.1:69) datalen 16
> Nov 8 21:06:15.858: FIREWALL UDP: sis 45C264CC pak 4539F588 SIS_OPENING
> UDP packet (172.110.123.2:54326) => (172.110.123.1:69) datalen 16
>
> It looks to me like the "udp router-traffic" option does not take the tftp
> dynamic ports into account
>
> In my case 172.110.123.2 is the source and 123.1 is the tftp destination.
> When I tftp THROUGH the inspecting router I get this output from debug ip
> inspect tftp:
>
> Nov 8 21:14:42.076: TFTP DATA Channel 45C26C4C state SIS_OPENING
> Nov 8 21:14:42.076: TFTP Code : DATA, packet length : 516
> Nov 8 21:14:42.080: TFTP DATA Channel 45C26C4C state SIS_OPEN
> Nov 8 21:14:42.080: TFTP Code : ACK
>
> But when I tftp FROM the inspecting router I get no response from debug ip
> inspect tftp.
>
> It looks to me like the router treats self-generated tftp as if it was
> regular UDP, and does not take dynamic ports into account.
>
> -Bob Sinclair CCIE 10427 CCSI 30427
> www.netmasterclass.net
>
>
> Jason Madsen wrote:
>
>> why wouldn't CBAC allow for me to tftp from the CBAC router in my first
>> topology though? I know my current configurations wouldn't work that way
>> because I have my ACL and my inspect application on two different
>> interfaces, but in my first example I had them both on the one outside
>> interface? I even had a session when I did "sho ip inspec ses"...just no
>> tftp transfer.
>>
>> Thanks,
>> Jason

Blogs and organic groups at http://www.ccie.net

• Next message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Previous message: Bob Sinclair: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Next in thread: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST