Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
2
Replies

Can't get TFTP to work through PIX Firewall

brujones
Level 1
Level 1

‎02-11-2003 05:08 PM - edited ‎02-20-2020 10:33 PM

Trying to setup a conduit to a statically configured inside,outside address. using

conduit permit udp host (Eternal Address) eq tftp any

I can attach to the internal address and download a file via tftp from the inside ( using a laptop configured with an internal address) but when I try and download the file from the outside (same laptop connected to our external network with an external address) I always receive a timeout. I can hit the www port with the web browser but not the tftp with a tftp client. If this is possible how can I do it. I am trying to setup automatic client updates for my VPN 3002 clients and it is not working.

Thanks

Bruce Jones

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎02-11-2003 06:41 PM

Certainly should be possible, but it's hard to tell with the info you've given. Is the static a one-to-one static or a port static? Is the WWW port that is working associated with the same static and therefore the same internal server?

What does the PIX syslog show when you try and start a TFTP connection, that'll give you the most information about what's going on?

0 Helpful

brujones
Level 1
Level 1
In response to gfullage

‎02-13-2003 03:44 PM

Problem solved but new info below.

The configured static is a single external to single internal ip address translation with a conduit permit over the top allowing tftp into the port(external address in the command for Conduit permit). www site is on same internal server as tftp.

example external address is 198.133.219.25 internal address is 192.168.200.111(not my actual IPs using bogus ones)

command in pix

static (inside,outside) 198.133.219.25 192.168.200.111 netmask 255.255.255.255 0 0

conduit permit tcp host 198.133.219.25 eq www any

conduit permit udp host 198.133.219.25 eq tftp any

No other translations to either of these addresses.

Okay now new info.

I was able to connect to the tftp while direct connecting to the outside network with a laptop but not from behind the VPN 3002 translation(Split tunneling enabled). Probably something to do with translation of ports below 1024. The 3002 was what I wanted to tftp the to for update. It would start the connection to the external tftp server address and act like it was going to download but never actually started the transfer. Know this from server log.

SOLUTION:

I then decided to change the tftp address in the autoupdate on the main concentrator to point to the internal address ot the tftp server which was reachable after the tunnel was established. The VPN 3002 was able to pull the file from the tftp server and update itself. Thanks for your help.

BJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card