Re: TFTP over PIX to PIX IPSec VPN?

ryandibble · ‎08-20-2007

Hi all,

I am trying to use TFTP to copy a capture off of a remote PIX to a TFTP server that is located on the HQ private LAN. An IPSec tunnel exists between the two sites, and I have added the outside interface of the remote PIX to the VPN. The server is pingable from the remote PIX, but the TFTP session will not connect.

The remote PIX is running PIX OS 6.3(1) and the HQ PIX is running 7.2(1).

I have seen some similar queries on these forums over the last couple of years, but no definitive answers. If anyone can give me a hand here, i'd greatly appreciate it.

Thanks in advance,

Ryan

rigoberto.cintron · ‎08-20-2007

Did you specify the TFTP inthe PIX config?

tftp-server outside X.X.X.X

ryandibble · ‎08-20-2007

Yes, I've tried that. Unfortunately, that did not seem to help.

winagents · ‎08-21-2007

Hi Ryan,

TFTP uses random UDP ports to transfer data. This protocol uses UDP port 69 only to initiate transfer. To enable TFTP in your network please try the following:

1. Configure TFTP fixup on both firewalls using the following command:

fixup protocol tftp 69

2. Enable traffic to server's UDP port 69 from your remote firewall

3. Specify TFTP server address on the remote firewall using 'tftp-server' command.

If it will not help, try to permit _all_ UDP traffic in both directions between your remote PIX and the server. If you don't want to open all UDP ports, you can use TFTP server which support data transfer through UDP port 69 only (for example, the TFTP server which we develop does it). It is enough to open only UDP port 69 in this case.

--

Sincerely

Oleg Malkov

WinAgents Software Group

ryandibble · ‎08-22-2007

Thanks for the suggestions, Oleg, but I don't think this will help me out. I need the TFTP transmission to be within the confines of the already-established VPN tunnel, as I don't want to send the capture unencrypted across the Internet.

-Ryan