Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8983
Views
0
Helpful
7
Replies

TFTP through NAT/PAT

Go to solution
harris-ross
Level 1
Level 1

‎11-30-2004 08:27 PM - edited ‎03-02-2019 08:18 PM

May I please ask how I would be able to allow my router to pass TFTP traffic through my Pix 501 firewall, the firewall is NAT/PAT enable. My router is also NAT/PAT enable. I am aware I need an access-list but not sure how to write it. The router is public facing while firewall is sitting between router and LAN.

Any help is kidly appreciated

Tony

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sachinraja
Level 9
Level 9
In response to harris-ross

‎12-02-2004 09:03 AM

hi tony,

considering these facts,

tftp server ip - 10.0.0.4

router ip - 172.16.0.1 (say)

you need to configure the following:

nat (inside) 0 access-list nonat

access-list nonat permit ip host 10.0.0.4 host 172.16.0.1

access-list outside permit udp host 172.16.0.1 host 10.0.0.4 eq 69 (to allow tftp)

access-group outside in interface outside

I think you have configured all these right.. I think you might have left out the route in the router to 10.0.0.4 pointing to the pix outside.. pls check this..

ip route 10.0.0.4 255.255.255.255 x.x.x.x (PIX outside)

make sure you are able to ping 10.0.0.4 from the router.... then try doing tftp..

hope this helps.. all the best.. rate replies if found useful...

View solution in original post

0 Helpful
7 Replies 7

Go to solution
sachinraja
Level 9
Level 9

‎12-01-2004 03:04 AM

Hello Tony,

From your query, I can understand that your TFTP server is on the inside LAN and you want to do update the IOS of the router from outside.. is that right ? or you need to access the tftp server from elsewhere ???

If you want to access the tftp server from the router, the router must see the tftp server through its private IP or any other statically natted IP. the best way to go about is not to nat the tftpserver ip address, when it goes out to reach the router. you can do this by the following command:

nat (inside) 0 access-list nonat

access-list nonat permit ip host 192.168.1.10 (TFTP server IP address) host 203.1.1.1 (Router FE IP address)

you also need to open TFTP port from outside..

access-list outside permit tcp host 203.1.1.1 host 192.168.1.10 eq 69

Hope this helps.. all the best..

Raj

0 Helpful

Go to solution
harris-ross
Level 1
Level 1
In response to sachinraja

‎12-01-2004 11:28 AM

Raj

Please see what I have done below but it still does not work?

1. access-list TFTP permit tcp host 172.31.254.1 host 10.0.0.4 eq 69

172.31.254.1 = inside interface of router

10.0.0.4 = PC on the LAN running TFTP

2. access-list TFTPserver permit ip host 10.0.0.4 host 172.31.254.1

3. nat 0 access-list TFTPserver

4. I have then applied access-list as follows:

access-group TFTPserver in interface outside

access-group TFTP in interface outside

Please let me know where I am going wrong?

Raj please note that both router and Pix firewall are NAT/PAT enable.

cheers

Tony

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to harris-ross

‎12-01-2004 09:18 PM

Hi Tony,

I'm sorry.. you need to open UDP 69. Try opening this and then do a tftp from the router.. other configs of yours looks fine. just change this access-list:

access-list TFTP permit UDP host 172.31.254.1 host 10.0.0.4 eq 69

Also make sure you have this:

fixup protocol tftp 69

All the best..

Raj

0 Helpful

Go to solution
harris-ross
Level 1
Level 1
In response to sachinraja

‎12-02-2004 08:34 AM

I have tried that still no joy? Raj please write for me all acess-list lines and nat commands as they need to be; also let me know which interface to apply the access-lists, this way I can be sure I am not missing something or doing something wrong.

much appreciated.

Thank you

Tony

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to harris-ross

‎12-02-2004 09:03 AM

hi tony,

considering these facts,

tftp server ip - 10.0.0.4

router ip - 172.16.0.1 (say)

you need to configure the following:

nat (inside) 0 access-list nonat

access-list nonat permit ip host 10.0.0.4 host 172.16.0.1

access-list outside permit udp host 172.16.0.1 host 10.0.0.4 eq 69 (to allow tftp)

access-group outside in interface outside

I think you have configured all these right.. I think you might have left out the route in the router to 10.0.0.4 pointing to the pix outside.. pls check this..

ip route 10.0.0.4 255.255.255.255 x.x.x.x (PIX outside)

make sure you are able to ping 10.0.0.4 from the router.... then try doing tftp..

hope this helps.. all the best.. rate replies if found useful...

0 Helpful

Go to solution
harris-ross
Level 1
Level 1
In response to sachinraja

‎12-02-2004 10:33 AM

Raj

Top CCIE, it has worked, the static route entry to my LAN on the router was the missing link. Thanks a million.

cheers pal

Tony

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to harris-ross

‎12-02-2004 01:41 PM

thanks dude. you can mail me at raja_ccie@yahoo.com in future. keep in touch..

all the best..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents