10-28-2012 08:55 PM - edited 03-11-2019 05:15 PM
I am running CBAC on a 1811 running IOS 15.1 and can't figure out how to configure it so that I can preform TFTP upgrades with CBAC enabled. It appears that CBAC doesn't catch self-generated traffic and put in a reverse rule in the ACL. I am trying to upgrade the image on this router using a public-addressed TFTP server on the F0 interface. If I drop the ACL the traffic will work, so why isn't CBAC cacthing the TFTP outbound? Here is my config:
ip inspect name trust icmp
ip inspect name trust udp
ip inspect name trust tcp
!
interface FastEthernet0
ip address x.y.z.1 (public)
ip access-group 100 in
no ip unreachables
no ip proxy-arp
ip inspect trust in
no ip route-cache
!
access-list 100 permit tcp any any eq 22
access-list 100 permit udp any any eq tftp
The tftp rule above is for TFTP upgrades on other equipment, using a server behind this router. I tried defining an outbound ACL as well on F0 to get the traffic be "caught" by CBAC but that didn't work. I also tried adding "ip inspect name trust tftp" but that didn't help.
Solved! Go to Solution.
10-28-2012 11:16 PM
Hello Mister,
You need the router-traffic command in order to inspect traffic generated from the router itself.
So it will look like:
ip inspect test tftp router-traffic
Regards,
Remember to rate all of the helpful posts
10-28-2012 08:57 PM
Also I just thought I would add, I am not interested in moving to ZBF just yet, I just need to get this single thing working. Thanks,
10-28-2012 11:16 PM
Hello Mister,
You need the router-traffic command in order to inspect traffic generated from the router itself.
So it will look like:
ip inspect test tftp router-traffic
Regards,
Remember to rate all of the helpful posts
10-29-2012 02:12 AM
Hi,
http://blog.ioshints.info/2009/06/tftp-server-protection-with-cbac.html
Regards.
Alain
Don't forget to rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: