Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IOS Firewall Policy-Map VoiP tftp issues

I am having difficulty getting our new VoiP phones to download their configuration via TFTP by going through our IOS Firewall.

Router#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T2

If I setup NAT with no access-list / policy map of any kind, the phones get a NAT address, connect and successfully download their configuration via TFTP.

Once I implement security, the return tftp data does not come back in.  I have tried with simple access-list + inspection rules, and now I am currently using the zone based firewall with policy maps with the same results.

Either way I end up with the following from "show ip cache flow", the phones have an IP address of 10.42.10.xx, and they connect to a public tftp server, which I will list as IP, and the outside NAT pool will be

Router#sh ip cach fl | inc 10.42.10
Fa0/0.1     Null   11 CEE4 0045     4

Here is part of the session information from the policy-map

Router#sh policy-map type inspect zone-pair  ccp-zp-in-out sessions | beg sdm-cls-ccp-inspect-1

    Class-map: sdm-cls-ccp-inspect-1 (match-all)
      Match: class-map match-any prot-tftp
        Match: protocol tftp
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: access-group name voip-tftp


      Number of Established Sessions = 1
      Established Sessions
        Session 65E0A440 (>( tftp:udp SIS_OPEN
          Created 00:00:30, Last heard 00:00:21
          Bytes sent (initiator:responder) [124:0]

      Number of Pre-generated Sessions = 1
      Pre-generated Sessions
        Pre-gen session 66B9F940[1024:65535]=>[52964:52964] tftp-data:udp
          Created 00:00:30, Last heard 00:00:30
          Bytes sent (initiator:responder) [0:0]

Thanks for any help,

Chris Paalman

CreatePlease to create content