08-10-2007 11:41 AM - edited 03-05-2019 05:50 PM
Can anyone help me write an acl to allow tftp access between these subnets:
10.1.21.0
10.1.33.0
10.1.31.0
10.1.45.0
10.1.34.0
10.1.41.0
10.1.42.0
10.1.44.0
and this box - 10.1.255.250
Thanks so much!!
Becky
08-10-2007 11:49 AM
Hi Becky
A little more informatin would help but assuming that all the above networks have a Class C subnet mask
access-list 101 permit udp 10.1.21.0 255.255.255.0 host 10.1.255.250 eq tftp
access-list 101 permit udp 10.1.31.0 255.255.255.0 host 10.1.255.250 eq tftp
etc...
Then you need to apply it to the interface that is connected to the 10.1.255.250 subnet eg
int fa0/1
ip access-group 101 out
You apply it in an outbound direction.
One thing to be aware of is that there is an implicit deny at the end of any access-list so if you apply this access-list the ONLY traffic allowed onto that subnet (10.1.255.0/24) is tftp traffic from those subnets to that specific host which is maybe not what you want.
This has given you an idea of how to do access-lists etc. but before you try and implement anything could you could back with the full set of requirements ie.
1) subnets masks
2) what other traffic you would like to allow/deny onto the 10.1.255.0/24 subnet.
Jon
08-10-2007 02:15 PM
Hi Jon,
The reason I am asking is because I have a Wireless Lan Solution Engine (10.1.255.250)and am trying to backup the config of my Access Points and when trying to run the Archive Job, it fails stating that I should make sure tftp traffic is allowed between the WLSE and the APs.
Becky
08-10-2007 02:24 PM
Becky,
I believe Jon accidentally put the subnet mask instead of the wildcard mask in the ACL and I don't know if that's the configuration you used which would have resulted in communication failure with the TFTP server. Reconfigure like this.
access-list 101 permit udp 10.1.21.0 0.0.0.255 host 10.1.255.250 eq tftp
access-list 101 permit udp 10.1.31.0 0.0.0.255 host 10.1.255.250 eq tftp
HTH
Sundar
08-10-2007 03:02 PM
Hi Sundar
Yep, my mistake. I just finished posting a message on the firewalling forum, wish they would standardise pix and IOS access-lists :).
Apologies Becky, rather basic error to make.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: