cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
726
Views
0
Helpful
5
Replies

Allowing TFTP traffic through

moorera
Level 1
Level 1

Hello,

I'm running a 2821 router with the advanced security code set. I've setup the inspect commands, including the tftp inspect command which I understand is on by default. However, I cannot get tftp traffic to pass through the firewall. It seems from the sniffer it is getting hung up when the traffic flow switches to a secondary channel for the actual tranfer of data. Do you have to some how account for this in your ACL design? I am not needing to Use NAT in this case so there is not NAT/PAT going on. Thanks for your help.

Randy Moore

Nova Chemicals.

5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

Randy,

Can you post configs ?

Thanks

Hi,

Thanks for replying. Here are the configs for you. All sections of the ACL seem to work for me but the tftp section. (haven't looked at the syslog section yet). Thanks.

Randy

Randy,

How about just entering

ip inspect name Scada-ACL tftp

in the config ?

Hi,

Yeah I stared that way to begin with but it isn't working. Looking at the sniffer I let the first packet by as it is on udp 69 as it should but then TFTP jumps to other ports and the inspect command doesn't make the jump as well. I now on a pix you need the fixup command for this to work and I had thought the fixup command was the inspect command on the IOS firewall and PIX OS 7..... Appreciate your help.

Yes, the inspect command is similar to the fixup command in the PIX but you also have an ACL in addition to the inspect. The ACL is allowing UDP 69 *only*. If the client at the remote end is using other ports besides UDP 69, then it's a client problem.

What other ports do you see being used on the sniffer trace ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco