Re: TFTP Not Working W CBAC for some reason

From: Jason Madsen (madsen.jason@gmail.com)
Date: Sun Nov 09 2008 - 00:19:36 ARST

• Next message: Jason W. Miller: "Re: ACE Sample Configs"
• Previous message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

sorry, I spoke too soon. I can now transfer via HTTP...initiating the
request from the inspecting router. maybe it is just a UDP or TFP thing.

I think I need a break :-)

Jason

On Sat, Nov 8, 2008 at 7:18 PM, Jason Madsen <madsen.jason@gmail.com> wrote:

> Bob,
>
> Yep, you're right. I can telnet from the inspecting router, but not tftp.
> I thought it might only be a UDP thing or more specifically a TFTP thing,
> but I can't transfer from the inspecting router via HTTP either. I can
> THROUGH it though. I guess CBAC has its quirks when trying to initiate
> traffic / requests from the inspecting router. I will definitely have to
> keep that in mind with any designs...especially in a lab.
>
> Thanks for all of your help,
> Jason
>
>
> On Sat, Nov 8, 2008 at 7:10 PM, Bob Sinclair <bob@bobsinclair.net> wrote:
>
>> Jason,
>>
>> When I try to TFTP from the inspecting router it fails, and I get this
>> output from "debug ip inspect udp"
>>
>> Nov 8 21:06:11.858: FIREWALL UDP: sis 45C264CC pak 4539FC90 SIS_OPENING
>> UDP packet (172.110.123.2:54326) => (172.110.123.1:69) datalen 16
>> Nov 8 21:06:15.858: FIREWALL UDP: sis 45C264CC pak 4539F588 SIS_OPENING
>> UDP packet (172.110.123.2:54326) => (172.110.123.1:69) datalen 16
>>
>> It looks to me like the "udp router-traffic" option does not take the tftp
>> dynamic ports into account
>>
>> In my case 172.110.123.2 is the source and 123.1 is the tftp destination.
>>
>> When I tftp THROUGH the inspecting router I get this output from debug ip
>> inspect tftp:
>>
>> Nov 8 21:14:42.076: TFTP DATA Channel 45C26C4C state SIS_OPENING
>> Nov 8 21:14:42.076: TFTP Code : DATA, packet length : 516
>> Nov 8 21:14:42.080: TFTP DATA Channel 45C26C4C state SIS_OPEN
>> Nov 8 21:14:42.080: TFTP Code : ACK
>>
>> But when I tftp FROM the inspecting router I get no response from debug ip
>> inspect tftp.
>>
>> It looks to me like the router treats self-generated tftp as if it was
>> regular UDP, and does not take dynamic ports into account.
>>
>> -Bob Sinclair CCIE 10427 CCSI 30427
>> www.netmasterclass.net
>>
>>
>> Jason Madsen wrote:
>>
>>> why wouldn't CBAC allow for me to tftp from the CBAC router in my first
>>> topology though? I know my current configurations wouldn't work that way
>>> because I have my ACL and my inspect application on two different
>>> interfaces, but in my first example I had them both on the one outside
>>> interface? I even had a session when I did "sho ip inspec ses"...just no
>>> tftp transfer.
>>>
>>> Thanks,
>>> Jason

Blogs and organic groups at http://www.ccie.net

• Next message: Jason W. Miller: "Re: ACE Sample Configs"
• Previous message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST