I am having difficulty getting our new VoiP phones to download their configuration via TFTP by going through our IOS Firewall.
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T2
If I setup NAT with no access-list / policy map of any kind, the phones get a NAT address, connect and successfully download their configuration via TFTP.
Once I implement security, the return tftp data does not come back in. I have tried with simple access-list + inspection rules, and now I am currently using the zone based firewall with policy maps with the same results.
Either way I end up with the following from "show ip cache flow", the phones have an IP address of 10.42.10.xx, and they connect to a public tftp server, which I will list as IP 18.104.22.168, and the outside NAT pool will be 22.214.171.124
Router#sh ip cach fl | inc 10.42.10
Fa0/0.1 10.42.10.35 Null 126.96.36.199 11 CEE4 0045 4
Here is part of the session information from the policy-map
Router#sh policy-map type inspect zone-pair ccp-zp-in-out sessions | beg sdm-cls-ccp-inspect-1
Class-map: sdm-cls-ccp-inspect-1 (match-all)
Match: class-map match-any prot-tftp
Match: protocol tftp
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name voip-tftp
Number of Established Sessions = 1
Session 65E0A440 (10.42.10.35:52964)=>(188.8.131.52:69) tftp:udp SIS_OPEN
Created 00:00:30, Last heard 00:00:21
Bytes sent (initiator:responder) [124:0]
Number of Pre-generated Sessions = 1
Pre-gen session 66B9F940 184.108.40.206[1024:65535]=>220.127.116.11[52964:52964] tftp-data:udp
Created 00:00:30, Last heard 00:00:30
Bytes sent (initiator:responder) [0:0]
Thanks for any help,