Save running-config out WAN port?

cluovpemb · ‎01-21-2013

Hi all. As I look at the thread headings fo rthe other posts I'm struck by how simple my request must seem I hope this is an easy one!

Using 891W routers, I would like to be able to save the running-config out the WAN port (gig0). The most common scenario is that I am SSH'd into a router, but the LAN doesn't have a TFTP server nor is it ideal to put one in there. So I want to save the routers config to myself here somehow

The site that has the rotuer I want to save from is connected via L2L IPSec VPN to head office, and through that tunnel I can ping, RDP, whatever. However, I cannot save the running-config even to a machine on that LAN that has a TFTP server. It just seems TFTP is blocked by default from sending anything out on the WAN port. I've enabled all traffic between these two routers in the ZBFW, but still it doesn't work. I think blocking TFTP from sending out the WAN port might be hard-coded into the IOS or something.

Anybody have thoughts on this? Thank you.

Julio Carvajal · ‎01-21-2013

Hello Colin,

Do you see a log from the ZBFW while you perform the TFTP transaction??

Are you using self-zones??

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cluovpemb · ‎01-22-2013

Hi Julio,

Self zones in use are only the OUT-SELF. No SELF-OUT. The L2L VPN works now. The ZBFW setup to allow the VPN to work is one ACL within a 2nd class map inside the OUTSIDE-INSIDE policy map allowing all traffic from one LAN network to the other and this is set on both routers (inversing the network IDs of course). Also to allow the VPN tunnel itself to form, there is an ACL in a 2nd class map on within the OUT-SELF policy map, which allows traffic between the two rouer WAN port IP's (allowing port 500, non500, and all esp).

But what confuses me is this. If I edit that ACL governing the two VPN endpoints, so that instead of just port 500 and such I also say to permit ip any any, I can for example SSH from one router CLI to the other router CLI, whereas without adding this entry to the ACL, I cannot so I know failry surely that this perit ip any any opens any traffic between the two routers.

But this is likely where my lack of understanding of VPN comes in. I imagine I am not actually sending TFTP files through the VPN then...in effect I'm trying to send a TFTP file from one router, to the LAN side of the other router. Perhaps not possible?

I'm actally confusing myself here the more I type. I'll leave this post for now, read Alain's and will reply there.

Julio Carvajal · ‎01-22-2013

Hello Colin,

Yeah, just try to use a Pass rule between the self-out, out-self so this can work

You could also add the

ip inspect log drop-pkt

so you can determine where the packet is being dropped,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cluovpemb · ‎01-23-2013

Sorry Julio, I just realized I never answered about the packet log. Well first of all, there is no self-out zone pair, just out-self. As I udnerstand it, no self-out means that since no pair is defined, all traffic in that direction is allowed. but in any case, I didn't see anything in the packet log, I think, however I'll try it again today to be sure. Both routers were accessed via ssh and perhaps I forgot to do terminal monitor to see the console output. Can't troubleshoot much if I don't even know what's blocking it right? Will post back again later.

Julio Carvajal · ‎01-23-2013

Hello,

As soon as you set a zone-pair for the self-zone traffic on the opposite way will be restricted ( This is the default behavior for any zone)

Please provide the logs and add the out-self self-out zone-pair

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cadet alain · ‎01-21-2013

Hi,

ZBF can't inspect TFTP because the intial traffic from client to server goes to UDP port 69 but the return traffic comes from a high number port that is not 69. So you'll have to do a policy-map that has an action of pass from your TFTP server and apply it on a zone-pair with source as zone where this server is located and destination is the zone where the client is located.

Regards.

Alain

Don't forget to rate helpful posts.

cluovpemb · ‎01-22-2013

I guess where I get confused most with this is that the destination is the TFTP server on the Inside zone (LAN) on one router, and the source is the self zone on a different router.

What is really confusing me is this VPN thing. I have much reading to do still (I'm still not at the VPN/security portion of my CCNA study), but as I undeerstand it, anything destined for the LAN of the remote router will tunnel through the VPN. With that in mind, my current setup is to allow all traffic between the two LANs via a simple permit ip any any ACL on each router and an nispect action applied. Via this tunnel I can ping, do RDP, and so on. However this is from LAN to LAN, not Router1 to LAN on the other router. Hence why I thought also having permit ip any any on the ACL governing the traffic from one router's WAN IP to the local router's WAN IP would do it.

But now that I think about it, back when I had these routers in the lab and not in production, before I even knew what ZBFW was , I aso could not TFTP out of the WAN port I don't think. If only I could test right now!