Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
4
Helpful
3
Replies

CBAC and self-generated traffic (tftp)?

Go to solution
Mister Cartwright
Level 1
Level 1

‎10-28-2012 08:55 PM - edited ‎03-11-2019 05:15 PM

I am running CBAC on a 1811 running IOS 15.1 and can't figure out how to configure it so that I can preform TFTP upgrades with CBAC enabled. It appears that CBAC doesn't catch self-generated traffic and put in a reverse rule in the ACL. I am trying to upgrade the image on this router using a public-addressed TFTP server on the F0 interface. If I drop the ACL the traffic will work, so why isn't CBAC cacthing the TFTP outbound? Here is my config:

ip inspect name trust icmp

ip inspect name trust udp

ip inspect name trust tcp

!

interface FastEthernet0

ip address x.y.z.1 (public)

ip access-group 100 in

no ip unreachables

no ip proxy-arp

ip inspect trust in

no ip route-cache

!

access-list 100 permit tcp any any eq 22

access-list 100 permit udp any any eq tftp

The tftp rule above is for TFTP upgrades on other equipment, using a server behind this router. I tried defining an outbound ACL as well on F0 to get the traffic be "caught" by CBAC but that didn't work. I also tried adding "ip inspect name trust tftp" but that didn't help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Mister Cartwright

‎10-28-2012 11:16 PM

Hello Mister,

You need the router-traffic command in order to inspect traffic generated from the router itself.

So it will look like:

ip inspect test tftp router-traffic

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mister Cartwright
Level 1
Level 1

‎10-28-2012 08:57 PM

Also I just thought I would add, I am not interested in moving to ZBF just yet, I just need to get this single thing working. Thanks,

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Mister Cartwright

‎10-28-2012 11:16 PM

Hello Mister,

You need the router-traffic command in order to inspect traffic generated from the router itself.

So it will look like:

ip inspect test tftp router-traffic

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Mister Cartwright

‎10-29-2012 02:12 AM

Hi,


http://blog.ioshints.info/2009/06/tftp-server-protection-with-cbac.html

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card