IOS Firewall Policy-Map VoiP tftp issues

Unanswered Question
Jan 27th, 2010
User Badges:

I am having difficulty getting our new VoiP phones to download their configuration via TFTP by going through our IOS Firewall.


Router#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T2


If I setup NAT with no access-list / policy map of any kind, the phones get a NAT address, connect and successfully download their configuration via TFTP.


Once I implement security, the return tftp data does not come back in.  I have tried with simple access-list + inspection rules, and now I am currently using the zone based firewall with policy maps with the same results.


Either way I end up with the following from "show ip cache flow", the phones have an IP address of 10.42.10.xx, and they connect to a public tftp server, which I will list as IP 1.2.3.4, and the outside NAT pool will be 4.3.2.1


Router#sh ip cach fl | inc 10.42.10
Fa0/0.1       10.42.10.35     Null          1.2.3.4   11 CEE4 0045     4
Router#


Here is part of the session information from the policy-map


Router#sh policy-map type inspect zone-pair  ccp-zp-in-out sessions | beg sdm-cls-ccp-inspect-1

    Class-map: sdm-cls-ccp-inspect-1 (match-all)
      Match: class-map match-any prot-tftp
        Match: protocol tftp
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: access-group name voip-tftp

   Inspect

      Number of Established Sessions = 1
      Established Sessions
        Session 65E0A440 (10.42.10.35:52964)=>(1.2.3.4:69) tftp:udp SIS_OPEN
          Created 00:00:30, Last heard 00:00:21
          Bytes sent (initiator:responder) [124:0]


      Number of Pre-generated Sessions = 1
      Pre-generated Sessions
        Pre-gen session 66B9F940 1.2.3.4[1024:65535]=>4.3.2.1[52964:52964] tftp-data:udp
          Created 00:00:30, Last heard 00:00:30
          Bytes sent (initiator:responder) [0:0]


Thanks for any help,

Chris Paalman

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion