11-24-2006 10:30 AM - edited 03-03-2019 02:48 PM
Hello,
I'm running a 2821 router with the advanced security code set. I've setup the inspect commands, including the tftp inspect command which I understand is on by default. However, I cannot get tftp traffic to pass through the firewall. It seems from the sniffer it is getting hung up when the traffic flow switches to a secondary channel for the actual tranfer of data. Do you have to some how account for this in your ACL design? I am not needing to Use NAT in this case so there is not NAT/PAT going on. Thanks for your help.
Randy Moore
Nova Chemicals.
11-24-2006 11:38 AM
Randy,
Can you post configs ?
Thanks
11-24-2006 12:50 PM
11-24-2006 01:53 PM
Randy,
How about just entering
ip inspect name Scada-ACL tftp
in the config ?
11-28-2006 09:05 AM
Hi,
Yeah I stared that way to begin with but it isn't working. Looking at the sniffer I let the first packet by as it is on udp 69 as it should but then TFTP jumps to other ports and the inspect command doesn't make the jump as well. I now on a pix you need the fixup command for this to work and I had thought the fixup command was the inspect command on the IOS firewall and PIX OS 7..... Appreciate your help.
11-28-2006 09:22 AM
Yes, the inspect command is similar to the fixup command in the PIX but you also have an ACL in addition to the inspect. The ACL is allowing UDP 69 *only*. If the client at the remote end is using other ports besides UDP 69, then it's a client problem.
What other ports do you see being used on the sniffer trace ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: