I am trying to use TFTP to copy a capture off of a remote PIX to a TFTP server that is located on the HQ private LAN. An IPSec tunnel exists between the two sites, and I have added the outside interface of the remote PIX to the VPN. The server is pingable from the remote PIX, but the TFTP session will not connect.
The remote PIX is running PIX OS 6.3(1) and the HQ PIX is running 7.2(1).
I have seen some similar queries on these forums over the last couple of years, but no definitive answers. If anyone can give me a hand here, i'd greatly appreciate it.
TFTP uses random UDP ports to transfer data. This protocol uses UDP port 69 only to initiate transfer. To enable TFTP in your network please try the following:
1. Configure TFTP fixup on both firewalls using the following command:
fixup protocol tftp 69
2. Enable traffic to server's UDP port 69 from your remote firewall
3. Specify TFTP server address on the remote firewall using 'tftp-server' command.
If it will not help, try to permit _all_ UDP traffic in both directions between your remote PIX and the server. If you don't want to open all UDP ports, you can use TFTP server which support data transfer through UDP port 69 only (for example, the TFTP server which we develop does it). It is enough to open only UDP port 69 in this case.
Thanks for the suggestions, Oleg, but I don't think this will help me out. I need the TFTP transmission to be within the confines of the already-established VPN tunnel, as I don't want to send the capture unencrypted across the Internet.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...