Configuring tftp

[eclidad]

Hi,

I've got what should be a simple problem to solve. I'm trying to use tftp to save my config to a linux box. I've used wireshark to trace packets and see that my responses aren't getting back to the router. The router sends out a packet from an arbitrary port to UDP port 69 on my server. My server then responds to this arbitrary port which my access-list isn't letting in. The router them sends an ICMP destination unreachable to the server. How can I get tftp to work without letting any udp port from my server into the router?

Thanks,
- Joel

 

[ADB100]

Post the ACL, but you probably need to add something like:

ip access-list extended some-acl
 permit udp any eq 69 any
!
interface Ethernet0
 ip access-list some-acl in

HTH

Andy

 

[burtsbees]

Is the firewall on the linux box allowing these packets back out? That what it sounds like to me...

Burt

 

[eclidad]

Here's the access-list entry.

permit udp host 192.168.1.9 host 192.168.4.4 eq tftp

It's not quite right but I don't think that the problem lies here.

There is no firewall on the linux box. I haven't had a problem doing tftp with other devices. This includes our old PIX unit. The router we are using now is an 1841.

Here's the packet that goes to the linux server
Internet Protocol, Src: 192.168.4.4 (192.168.4.4), Dst: 192.168.1.113 (192.168.1.113)
User Datagram Protocol, Src Port: 59144 (59144), Dst Port: tftp (69)

Here's the packet that comes back
Internet Protocol, Src: 192.168.1.113 (192.168.1.113), Dst: 192.168.4.4 (192.168.4.4)
User Datagram Protocol, Src Port: 41579 (41579), Dst Port: 59144 (59144)

Nowhere in the response packet does port 69 show up. The dst port of the second packet matches what the router used to send the request. The src port is not what I would have expected.

I also tried this using the cisco tftp windows server and see the same behavior. Would something like this help

access-list 130 permit udp any any established

130 is controls packets coming from the internal network into the router. I've never really understood what "established" does but it seems this would allow things the router initiated to be completed.

I'll dig into this a bit more and see what I can find.

Thanks,
- Joel

 

[burtsbees]

The "established" means that if the router establishes the session, allow any any.
Does it do this only with Linux boxes?

Burt

 

[eclidad]

I've tried 2 different linux boxes and 1 windows machine. The problem seems to be that when the server responds it doesn't have port 69 as either a src or dst port. If it did it would be easy to create a specific access-list rule. Since the response packets can be any port a different mechanism is needed. My radius servers are kind enough to use a fixed port number when they respond so that the connections initiated by the router can complete. I'll try the "established" entry and see what that does. If it works it will probably cover the radius packets as well. After all they are UDP packets sent by the router to the internal network.

Thanks,
- Joel

 

[ADB100]

Bizarrely I have just screwed up an Aironet 1100 Access Point and lost the IOS image (don't use FTP for the upgrade...). Anyway I have been trying to receover the image for the last 20-minutes or so and I am seeing the same behaviour with the recovery process - source port from the TFTP server is 1522.

I just did a quick search and found this page:

http://www.tcpipguide.com/free/t_TFTPGeneralOperationConnectionEstablishmentandClie.htm

This explains the behaviour of the TFTP server in that it selects a random port number for the data transfer to the client. I must admit I didn't know this was how TFTP worked - I assumed, like you the data transfer happened on UDP port 69 from the server.

I am going to do a few more TFTP transfers and see the behaviour from some other IOS devices.

HTH

Andy

 

[burtsbees]

Post a sh run

Burt

 

[jneiberger]

Wow, Andy...I've been doing this for years and I didn't know that either! I guess I've just never run into a situation where I had an access list between a router and my TFTP server. That's good information to know.

 

[ADB100]

Yep, a bit embarrassing really since iv'e been doing this for about 18 years now. I have even looked at sniffer traces of TFTP transfers and never noticed this, and really how can you miss it?

Ah well, you live and learn. For the original problem though without any CBAC inspection going on and just ACL's it will be pretty difficult to ties this down with an ACL that doesn't allow big port ranges.

Andy

 

[eclidad]

jneilberger - I'm not sure what you do so that there are no ACL between your router and TFTP server. Don't you control what the internal network can do? I've got all my ACL controlling access into the router. I suppose I could transform my ACL so that instead of allowing http/telnet/ftp etc, from the internal network into the router and blocking everything else I would only allow http/telnet/ftp to exit the router at the ISP interface. This would allow anything into the router.

This problem is certainly not a show stopper. Using tftp is just a convenience we would like.

- Joel

 

[jneiberger]

I've been in a couple of different network environments and in neither case did we do that much filtering internally, but that largely depends on which systems you're talking about. Some internal systems were highly protected, while others might have had very minimal protection. I think it's just dumb luck that I've never run into this before.

 

[eclidad]

For what it's worth here is the output of sh run. I tried not to be too aggressive in what I chopped out. The acl of interest is 130. If port 69 was used I'd need to make it a src port instead of dst port. Since port 69 doesn't get used there's not much point in doing that.

!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1841
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$Jc2K$qxqjO9zRhmPCmy7qEJEEI1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen group radius local
aaa authorization exec default local
aaa authorization network groupauthor local
aaa accounting network default start-stop group radius
aaa accounting network ipsecaaa start-stop group radius
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name fixftp ftp
!
!
no ip bootp server
ip domain name company.com
ip name-server 192.168.3.10
ip name-server xxx.yyy.zzz.242
!
!
!
interface FastEthernet0/0
description Internet Access & Firewall for Internal LAN$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$
ip address 192.168.4.4 255.255.255.0
ip access-group 130 in
ip inspect fixftp in
ip nat inside
ip virtual-reassembly
ip policy route-map Static_Map
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description Comcast cable modem
ip address aaa.bbb.ccc.209 255.255.255.248
ip access-group 122 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
interface FastEthernet0/1/0
description Public IP - Portal
switchport access vlan 2
!
interface FastEthernet0/1/1
switchport access vlan 2
!
interface FastEthernet0/1/2
shutdown
!
interface FastEthernet0/1/3
shutdown
!
interface Serial0/0/0
ip address xxx.yyy.zzz.50 255.255.255.252
ip access-group 120 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address xxx.yyy.zzz.241 255.255.255.240
ip access-group 140 in
ip nat outside
ip virtual-reassembly
ip policy route-map Vlan2_Map
!
ip local pool VPN_Pool 10.2.2.33 10.2.2.62
ip classless
ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.214
ip route 192.168.0.0 255.255.255.0 192.168.4.2
ip route 192.168.1.0 255.255.255.0 192.168.4.2
ip route 192.168.3.0 255.255.255.0 192.168.4.2
ip route 192.168.10.0 255.255.255.0 192.168.4.2
!
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool T1_Pool xxx.yyy.zzz.247 xxx.yyy.zzz.249 netmask 255.255.255.240
ip nat pool Cable_Pool aaa.bbb.ccc.210 aaa.bbb.ccc.212 netmask 255.255.255.248
ip nat inside source route-map Cable_Map pool Cable_Pool overload
ip nat inside source route-map T1_Map pool T1_Pool overload
ip nat inside source static 192.168.10.2 xxx.yyy.zzz.251 route-map Altigen_Map
ip nat inside source static 192.168.1.9 xxx.yyy.zzz.252 route-map tycho_Map
ip nat inside source static 192.168.3.10 xxx.yyy.zzz.253 route-map Cluster_Map
!
ip access-list standard internal
permit 192.168.1.0 0.0.0.255
!
logging trap debugging
logging facility local4
logging 192.168.1.9
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 deny ip any 10.2.2.32 0.0.0.31
access-list 100 permit ip host 192.168.3.10 any
access-list 101 remark This list is applied to the T1 route map
access-list 101 remark for dynamic NAT to portal and T1
access-list 101 deny ip any 10.2.2.32 0.0.0.31
access-list 101 deny ip host 192.168.1.9 host xxx.yyy.zzz.242
access-list 101 deny ip host 192.168.1.9 host xxx.yyy.zzz.243
access-list 101 deny ip host 192.168.3.10 host xxx.yyy.zzz.242
access-list 101 deny ip host 192.168.3.10 host xxx.yyy.zzz.243
access-list 101 remark entries for .244 and .245 are temporary during new portal setup
access-list 101 deny ip host 192.168.1.9 host xxx.yyy.zzz.244
access-list 101 deny ip host 192.168.1.9 host xxx.yyy.zzz.245
access-list 101 deny ip host 192.168.3.10 host xxx.yyy.zzz.244
access-list 101 deny ip host 192.168.3.10 host xxx.yyy.zzz.245
access-list 101 permit ip host 192.168.3.10 any
access-list 101 permit ip host 192.168.3.11 any
access-list 101 permit ip host 192.168.3.12 any
access-list 101 permit ip host 192.168.10.2 any
access-list 101 permit ip host 192.168.1.9 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 xxx.yyy.zzz.240 0.0.0.15
access-list 102 remark This list is applied to the Cable route map
access-list 102 remark for dynamic NAT to rest of internet
access-list 102 deny ip any 10.2.2.32 0.0.0.31
access-list 102 deny ip 192.168.0.0 0.0.255.255 xxx.yyy.zzz.240 0.0.0.15
access-list 102 deny ip xxx.yyy.zzz.240 0.0.0.15 any
access-list 102 deny ip host 192.168.3.10 any
access-list 102 deny ip host 192.168.3.11 any
access-list 102 deny ip host 192.168.3.12 any
access-list 102 deny ip host 192.168.10.2 any
access-list 102 deny ip host 192.168.1.9 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 remark This list is applied to the Vlan2 route map
access-list 103 remark to force routing of pacckets from vlan2 to internet
access-list 103 deny ip xxx.yyy.zzz.240 0.0.0.15 xxx.yyy.zzz.240 0.0.0.15
access-list 103 permit ip xxx.yyy.zzz.240 0.0.0.15 any
access-list 104 remark This list is applied to the StaticNat route map
access-list 104 remark to force routing for inside hosts that are statically
access-list 104 remark natted to one of the T1 ip addresses.
access-list 104 deny ip host 192.168.1.9 10.2.2.32 0.0.0.31
access-list 104 deny ip host 192.168.3.10 10.2.2.32 0.0.0.31
access-list 104 deny ip host 192.168.10.2 10.2.2.32 0.0.0.31
access-list 104 deny ip 192.168.0.0 0.0.255.255 xxx.yyy.zzz.240 0.0.0.15
access-list 104 permit ip host 192.168.1.9 any
access-list 104 permit ip host 192.168.3.10 any
access-list 104 permit ip host 192.168.3.11 any
access-list 104 permit ip host 192.168.3.12 any
access-list 104 permit ip host 192.168.10.2 any
access-list 105 deny ip any 10.2.2.32 0.0.0.31
access-list 105 permit ip host 192.168.10.2 any
access-list 106 deny ip any 10.2.2.32 0.0.0.31
access-list 106 permit ip host 192.168.1.9 any
access-list 130 permit ip any 10.2.2.32 0.0.0.31
access-list 130 permit ip host 192.168.3.20 any
access-list 130 remark Access from internal network to Vlan2 (portal)
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.242 eq domain
access-list 130 permit udp host 192.168.1.22 host 192.168.4.4 eq 1645
access-list 130 permit udp host 192.168.1.22 host 192.168.4.4 eq 1646
access-list 130 permit udp host 192.168.1.9 host 192.168.4.4 eq tftp
access-list 130 permit udp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.242 eq domain
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.242 eq telnet
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.243 eq telnet
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.242 eq 22
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.243 eq 22
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.242 eq ftp
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.243 eq ftp
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.242 eq www
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.243 eq www
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.242 eq 443
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.243 eq 443
access-list 130 remark The following are only permitted from tycho and/or cluster1
access-list 130 permit udp host 192.168.1.9 host xxx.yyy.zzz.242 eq ntp
access-list 130 permit udp host 192.168.1.9 host xxx.yyy.zzz.241 eq ntp
access-list 130 permit tcp host 192.168.1.9 host xxx.yyy.zzz.242 eq smtp
access-list 130 permit udp host 192.168.3.10 host xxx.yyy.zzz.242 eq ntp
access-list 130 permit udp host 192.168.3.11 host xxx.yyy.zzz.242 eq ntp
access-list 130 permit udp host 192.168.3.12 host xxx.yyy.zzz.242 eq ntp
access-list 130 permit udp host 192.168.3.10 host xxx.yyy.zzz.241 eq ntp
access-list 130 permit udp host 192.168.3.11 host xxx.yyy.zzz.241 eq ntp
access-list 130 permit udp host 192.168.3.12 host xxx.yyy.zzz.241 eq ntp
access-list 130 permit tcp host 192.168.3.10 host xxx.yyy.zzz.242 eq smtp
access-list 130 permit tcp host 192.168.3.11 host xxx.yyy.zzz.242 eq smtp
access-list 130 permit tcp host 192.168.3.12 host xxx.yyy.zzz.242 eq smtp
access-list 130 remark Port 5432 is for PostgreSQL database access from tycho or cluster1
access-list 130 permit tcp host 192.168.1.9 host xxx.yyy.zzz.242 eq 5432
access-list 130 permit tcp host 192.168.1.9 host xxx.yyy.zzz.243 eq 5432
access-list 130 permit tcp host 192.168.3.10 host xxx.yyy.zzz.242 eq 5432
access-list 130 permit tcp host 192.168.3.10 host xxx.yyy.zzz.243 eq 5432
access-list 130 permit tcp host 192.168.3.11 host xxx.yyy.zzz.242 eq 5432
access-list 130 permit tcp host 192.168.3.11 host xxx.yyy.zzz.243 eq 5432
access-list 130 permit tcp host 192.168.3.12 host xxx.yyy.zzz.242 eq 5432
access-list 130 permit tcp host 192.168.3.12 host xxx.yyy.zzz.243 eq 5432
access-list 130 remark Port 7007 is for apcupsd UPS monitoring
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.242 eq 7007
access-list 130 permit tcp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.244 eq 7007
access-list 130 permit icmp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.242
access-list 130 permit icmp 192.168.0.0 0.0.255.255 host xxx.yyy.zzz.243
access-list 130 permit icmp host 192.168.1.9 any echo
access-list 130 permit icmp host 192.168.1.113 any echo
access-list 130 remark Access from internal network to internet
access-list 130 permit tcp any any eq domain
access-list 130 permit udp any any eq domain
access-list 130 permit tcp any any eq telnet
access-list 130 permit tcp any any eq 22
access-list 130 permit tcp any any eq ftp
access-list 130 permit udp any any eq ntp
access-list 130 permit tcp any any eq www
access-list 130 permit tcp any any eq 443
access-list 130 permit tcp any any eq 8000
access-list 130 permit tcp any any eq 8080
access-list 130 remark Port 8090 is for Wayne's raquetball score server
access-list 130 permit tcp any any eq 8090
access-list 130 remark port 5999 is for CVS
access-list 130 permit tcp any any eq 5999
access-list 130 remark port 3690 is for Subversion (CVS replacement)
access-list 130 permit tcp any any eq 3690
access-list 130 permit udp 192.168.0.0 0.0.255.255 host 192.168.4.4 eq snmp
access-list 130 permit tcp any any established
access-list 130 deny tcp any any eq 995
access-list 130 deny ip any any log
snmp-server community mrtgmon RO
route-map Vlan2_Map permit 10
match ip address 103
set default interface Serial0/0/0
!
route-map Static_Map permit 10
match ip address 104
set ip default next-hop aaa.bbb.ccc.49
!
route-map Cluster_Map permit 1
match ip address 100
!
route-map Cable_Map permit 10
match ip address 102
!
route-map Altigen_Map permit 1
match ip address 105
!
route-map T1_Map permit 10
match ip address 101
!
route-map tycho_Map permit 1
match ip address 106
!
!
radius-server attribute list 6
!
radius-server host 192.168.3.20 auth-port 1645 acct-port 1646
radius-server host 192.168.1.22 auth-port 1645 acct-port 1646
radius-server retransmit 2
radius-server timeout 15
radius-server key f_sharp
!
control-plane
!
end