TFTP over PIX to PIX IPSec VPN?

Unanswered Question
Aug 20th, 2007

Hi all,

I am trying to use TFTP to copy a capture off of a remote PIX to a TFTP server that is located on the HQ private LAN. An IPSec tunnel exists between the two sites, and I have added the outside interface of the remote PIX to the VPN. The server is pingable from the remote PIX, but the TFTP session will not connect.

The remote PIX is running PIX OS 6.3(1) and the HQ PIX is running 7.2(1).

I have seen some similar queries on these forums over the last couple of years, but no definitive answers. If anyone can give me a hand here, i'd greatly appreciate it.

Thanks in advance,

Ryan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ryandibble Mon, 08/20/2007 - 12:18

Yes, I've tried that. Unfortunately, that did not seem to help.

winagents Tue, 08/21/2007 - 22:13

Hi Ryan,

TFTP uses random UDP ports to transfer data. This protocol uses UDP port 69 only to initiate transfer. To enable TFTP in your network please try the following:

1. Configure TFTP fixup on both firewalls using the following command:

fixup protocol tftp 69

2. Enable traffic to server's UDP port 69 from your remote firewall

3. Specify TFTP server address on the remote firewall using 'tftp-server' command.

If it will not help, try to permit _all_ UDP traffic in both directions between your remote PIX and the server. If you don't want to open all UDP ports, you can use TFTP server which support data transfer through UDP port 69 only (for example, the TFTP server which we develop does it). It is enough to open only UDP port 69 in this case.

--

Sincerely

Oleg Malkov

WinAgents Software Group

ryandibble Wed, 08/22/2007 - 09:26

Thanks for the suggestions, Oleg, but I don't think this will help me out. I need the TFTP transmission to be within the confines of the already-established VPN tunnel, as I don't want to send the capture unencrypted across the Internet.

-Ryan

Actions

This Discussion