Is there something in my ACL blocking tftp?

Unanswered Question
Nov 6th, 2009

Here is the acces-list running on a vpn 1811 router. The user cant tftp to our local server 192.168.117.29

access-list 1 permit 192.168.157.0 0.0.0.255

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 2 permit 192.168.157.0 0.0.0.255

access-list 2 deny any

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 25 permit 192.168.0.0 0.0.255.255

access-list 101 permit udp ...213.176.0 0.0.0.255 any eq 10000

access-list 101 permit udp xxx176.0 0.0.0.255 any eq non500-isakmp

access-list 101 permit udp xxxx76.0 0.0.0.255 any eq isakmp

access-list 101 permit esp xxxx.0 0.0.0.255 any

access-list 101 permit ahp xxxx 0.0.0.255 any

access-list 101 permit udp xxx72.0 0.0.0.255 any eq 10000

access-list 101 permit udp xxxx72.0 0.0.0.255 any eq non500-isakmp

access-list 101 permit udp xxx72.0 0.0.0.255 any eq isakmp

access-list 101 permit esp xxxx.0 0.0.0.255 any

access-list 101 permit ahp xxx0 0.0.0.255 any

acess-list 101 permit udp host 195.6.1.1 eq domain any

access-list 101 permit udp host 4.2.2.2 eq domain any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip any any

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 110 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 is applied to the outside interface "in"

access-list 100 is applied to vlan interfaces "in"

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 11/06/2009 - 09:37

Richard

There is no statement in access list 101 that permits TFTP. And access list 101 has deny ip any any at its bottom. As you may remember in access lists that end with deny ip any any, any thing that is not permitted is denied.

So yes your access list is denying the TFTP traffic.

HTH

Rick

nygenxny123 Fri, 11/06/2009 - 10:03

Hi rick,

My question would be..since the tftp request to download a file is coming from the p.c. Wouldn't the access list that is blocking it, be applied to the interface closest to pc?

In this case the inside interface.

I can find access list 100 on this router..but here is access list 100

on a vpn/router that is having the same issue.

Extended IP access list 100

10 deny ip host 255.255.255.255 any

20 deny ip 127.0.0.0 0.255.255.255 any

30 permit ip any any (68002 matches)

interface Vlan1

description Inside VPN Enable

ip address 192.168.161.1 255.

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

no autostate

and access list 100 is applied to the "internet" connection

nterface FastEthernet0

description Outside

ip address dhcp client-id FastEthernet0

ip access-group 101 in

no ip redirects

Richard Burts Fri, 11/06/2009 - 10:31

Richard

In your original post you say:"The user cant tftp to our local server 192.168.117.29" and this led me to assume that the user was remote. Now you seem to be saying that the user is local. Perhaps I need to ask you for clarification about the topology. Where is the user (and what address) and what address receives the request from the user? Where is the server?

Also it would be helpful to know if the user request is received as part of a VPN session or what?

HTH

Rick

nygenxny123 Fri, 11/06/2009 - 10:49

Indeed the user is remote

They use a cisco 1811 at home, which connects to their ISP.

which connects to our ASA via public ip "peer"

attached is the running config of the 1811 router..edit on public ip's and pw's

the tfpt server is on our local corportate network..192.168.117.26

Attachment: 
Richard Burts Sun, 11/08/2009 - 20:26

Richard

In your original post you identify the TFTP server as 192.168.117.29. and in this post you identify it as 192.168.117.26. This inconsistency is confusing.

In the config that you post the only mention of 192.168.117 is a permit statement in the access list. The network does not appear to be a connected interface and there is no route statement to that network. Either this is the issue or you are providing such incomplete information that I will not be able to provide any further assistance with this.

HTH

Rick

Actions

This Discussion