Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IOS Firewall Policy-Map VoiP tftp issues

I am having difficulty getting our new VoiP phones to download their configuration via TFTP by going through our IOS Firewall.

Router#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T2

If I setup NAT with no access-list / policy map of any kind, the phones get a NAT address, connect and successfully download their configuration via TFTP.

Once I implement security, the return tftp data does not come back in.  I have tried with simple access-list + inspection rules, and now I am currently using the zone based firewall with policy maps with the same results.

Either way I end up with the following from "show ip cache flow", the phones have an IP address of 10.42.10.xx, and they connect to a public tftp server, which I will list as IP 1.2.3.4, and the outside NAT pool will be 4.3.2.1

Router#sh ip cach fl | inc 10.42.10
Fa0/0.1       10.42.10.35     Null          1.2.3.4   11 CEE4 0045     4
Router#

Here is part of the session information from the policy-map

Router#sh policy-map type inspect zone-pair  ccp-zp-in-out sessions | beg sdm-cls-ccp-inspect-1

    Class-map: sdm-cls-ccp-inspect-1 (match-all)
      Match: class-map match-any prot-tftp
        Match: protocol tftp
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: access-group name voip-tftp

   Inspect

      Number of Established Sessions = 1
      Established Sessions
        Session 65E0A440 (10.42.10.35:52964)=>(1.2.3.4:69) tftp:udp SIS_OPEN
          Created 00:00:30, Last heard 00:00:21
          Bytes sent (initiator:responder) [124:0]


      Number of Pre-generated Sessions = 1
      Pre-generated Sessions
        Pre-gen session 66B9F940 1.2.3.4[1024:65535]=>4.3.2.1[52964:52964] tftp-data:udp
          Created 00:00:30, Last heard 00:00:30
          Bytes sent (initiator:responder) [0:0]

Thanks for any help,

Chris Paalman

987
Views
0
Helpful
0
Replies
CreatePlease to create content