Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing TFTP traffic through

Hello,

I'm running a 2821 router with the advanced security code set. I've setup the inspect commands, including the tftp inspect command which I understand is on by default. However, I cannot get tftp traffic to pass through the firewall. It seems from the sniffer it is getting hung up when the traffic flow switches to a secondary channel for the actual tranfer of data. Do you have to some how account for this in your ACL design? I am not needing to Use NAT in this case so there is not NAT/PAT going on. Thanks for your help.

Randy Moore

Nova Chemicals.

5 REPLIES
Hall of Fame Super Bronze

Re: Allowing TFTP traffic through

Randy,

Can you post configs ?

Thanks

New Member

Re: Allowing TFTP traffic through

Hi,

Thanks for replying. Here are the configs for you. All sections of the ACL seem to work for me but the tftp section. (haven't looked at the syslog section yet). Thanks.

Randy

Hall of Fame Super Bronze

Re: Allowing TFTP traffic through

Randy,

How about just entering

ip inspect name Scada-ACL tftp

in the config ?

New Member

Re: Allowing TFTP traffic through

Hi,

Yeah I stared that way to begin with but it isn't working. Looking at the sniffer I let the first packet by as it is on udp 69 as it should but then TFTP jumps to other ports and the inspect command doesn't make the jump as well. I now on a pix you need the fixup command for this to work and I had thought the fixup command was the inspect command on the IOS firewall and PIX OS 7..... Appreciate your help.

Hall of Fame Super Bronze

Re: Allowing TFTP traffic through

Yes, the inspect command is similar to the fixup command in the PIX but you also have an ACL in addition to the inspect. The ACL is allowing UDP 69 *only*. If the client at the remote end is using other ports besides UDP 69, then it's a client problem.

What other ports do you see being used on the sniffer trace ?

221
Views
0
Helpful
5
Replies