Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21982
Views
5
Helpful
8
Replies

ACL for TFTP traffic

Go to solution
rouven.heim
Level 1
Level 1

‎06-22-2010 11:52 PM - edited ‎03-06-2019 11:42 AM

Hi,

I need restricted access to another VLAN for TFTP traffic. So I´ve created an ACL like this:

permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp

I add this ACL to the source interface (192.168.30.0) as INCOMING.

The tftp request to the tftp server is established and the tftp server answers with an random port to request for the file transfer.

Here´s the problem. Because of the random port the ACL blocks the file transfer.

Any Idea?

Grettings,

Rouven

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to rouven.heim

‎06-23-2010 03:16 AM 

Hi Ganesh,
Windows
2003, on which the tftp server resides, use the range 1025 to 5000 as
ephemeral ports. So I´ve decited to use the following acl:
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
This has the drawback you´ve already said. But actually I see no other way to solve the problem.
Thank you for your support!
Greetings,
Rouven

Hi Rouven,

As i said earlier also we need to permit the data transfer ports for tftp which is taken dynamically by both client and server,As per the traffic flow try the following acl and share the results

permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

0 Helpful
8 Replies 8

Go to solution
jorge.calvo
Level 1
Level 1

‎06-23-2010 01:58 AM

Hello,

TFTP uses both UDP and TCP ports for the transfers so I would try with a permit for TFTP TCP port.

Hope this helps.

0 Helpful

Go to solution
rouven.heim
Level 1
Level 1
In response to jorge.calvo

‎06-23-2010 02:41 AM

Hello,

thanks for your reply. But using TCP doesn´t solve the problem. The tftp server responds with a random udp port and this random udp port is not allowed by the incoming acl of the source VLAN.

Greetings,

Rouven

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎06-23-2010 02:51 AM 

Hi,
I need restricted access to another VLAN for TFTP traffic. So I´ve created an ACL like this:
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
I add this ACL to the source interface (192.168.30.0) as INCOMING.
The
tftp request to the tftp server is established and the tftp server
answers with an random port to request for the file transfer.
Here´s the problem. Because of the random port the ACL blocks the file transfer.
Any Idea?
Grettings,
Rouven

Rouven,

TFTP typically uses UDP as its transport protocol, but it is not a requirement. Data transfer is initiated on port 69, but the data transfer ports are chosen independently by the send and receiver during initialization of the connection. The ports are chosen at random and must be in the range 0–65535.

Genrally what happens when you apply acl for only tftp on protocol udp

* From the original case, PC initiates a TFTP session from an arbitrary port at its side to server port 69 (conventional TFTP port for initiating TFTP session). Server then acknowledges from an arbitrary port PC at its side. The following exchanges occur between PC and Server. (Ports PC and Server are commonly named transfer identifiers as referred into RFC 1350 relative to TFTP specification.

* Thence the ACL entry defined as "permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp" only allows the first exchange from PC to Server and back. Because of the varying values of PC  and Server  -- distinct from 69 (TFTP initial port) -- and of no matching criteria in the ACL, the TFTP data transfer is not permitted.

As part of solutions, I would think about providing one of the following implementations of ACL.

* Adding the ACL entry "permit udp host 192.168.30.0 0.0.0.255 host 192.168.40.10 gt 1024" (in addition with ACL "permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp"): with the assumption that PC and Server are chosen greater than 1024, otherwise this value could be adapted. The main drawback of this solution is to allow whatever UDP datagram on port over 1024 which may be over what one wishes to permit.


* Adding the ACL entry "permit udp host 192.168.30.0 0.0.0.255 eq X host 192.168.40.10" (in addition with ACL "permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp"): where X is a pre-defined integer (greater than 1024).

Hope to Help !!

Ganesh.H

Go to solution
rouven.heim
Level 1
Level 1
In response to Ganesh Hariharan

‎06-23-2010 03:08 AM

Hi Ganesh,

Windows 2003, on which the tftp server resides, use the range 1025 to 5000 as ephemeral ports. So I´ve decited to use the following acl:

permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000

permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp

This has the drawback you´ve already said. But actually I see no other way to solve the problem.

Thank you for your support!

Greetings,

Rouven

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to rouven.heim

‎06-23-2010 03:16 AM 

Hi Ganesh,
Windows
2003, on which the tftp server resides, use the range 1025 to 5000 as
ephemeral ports. So I´ve decited to use the following acl:
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
This has the drawback you´ve already said. But actually I see no other way to solve the problem.
Thank you for your support!
Greetings,
Rouven

Hi Rouven,

As i said earlier also we need to permit the data transfer ports for tftp which is taken dynamically by both client and server,As per the traffic flow try the following acl and share the results

permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

0 Helpful

Go to solution
rouven.heim
Level 1
Level 1
In response to Ganesh Hariharan

‎06-23-2010 03:39 AM

Hi,

the ACL works fine!

Thank you!

Greetings,

Rouven

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to rouven.heim

‎06-23-2010 03:43 AM

Hi Rouven,

That Great if the logic has helped you,it would be helpful if you can mark

this thread as answered so that other would also get benfitted.

Ganesh.H

0 Helpful

Go to solution
Jagdeep
Level 1
Level 1
In response to Ganesh Hariharan

‎10-11-2017 10:28 PM - edited ‎10-25-2017 01:56 AM

can we configure multiple protocol services in an access-list if so how we can configure HTTP,FTP and TFTP in the same one. does one effect functioning of other??? plus is there an order of writing protocol/statements?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card