11-30-2004 08:27 PM - edited 03-02-2019 08:18 PM
May I please ask how I would be able to allow my router to pass TFTP traffic through my Pix 501 firewall, the firewall is NAT/PAT enable. My router is also NAT/PAT enable. I am aware I need an access-list but not sure how to write it. The router is public facing while firewall is sitting between router and LAN.
Any help is kidly appreciated
Tony
Solved! Go to Solution.
12-02-2004 09:03 AM
hi tony,
considering these facts,
tftp server ip - 10.0.0.4
router ip - 172.16.0.1 (say)
you need to configure the following:
nat (inside) 0 access-list nonat
access-list nonat permit ip host 10.0.0.4 host 172.16.0.1
access-list outside permit udp host 172.16.0.1 host 10.0.0.4 eq 69 (to allow tftp)
access-group outside in interface outside
I think you have configured all these right.. I think you might have left out the route in the router to 10.0.0.4 pointing to the pix outside.. pls check this..
ip route 10.0.0.4 255.255.255.255 x.x.x.x (PIX outside)
make sure you are able to ping 10.0.0.4 from the router.... then try doing tftp..
hope this helps.. all the best.. rate replies if found useful...
12-01-2004 03:04 AM
Hello Tony,
From your query, I can understand that your TFTP server is on the inside LAN and you want to do update the IOS of the router from outside.. is that right ? or you need to access the tftp server from elsewhere ???
If you want to access the tftp server from the router, the router must see the tftp server through its private IP or any other statically natted IP. the best way to go about is not to nat the tftpserver ip address, when it goes out to reach the router. you can do this by the following command:
nat (inside) 0 access-list nonat
access-list nonat permit ip host 192.168.1.10 (TFTP server IP address) host 203.1.1.1 (Router FE IP address)
you also need to open TFTP port from outside..
access-list outside permit tcp host 203.1.1.1 host 192.168.1.10 eq 69
Hope this helps.. all the best..
Raj
12-01-2004 11:28 AM
Raj
Please see what I have done below but it still does not work?
1. access-list TFTP permit tcp host 172.31.254.1 host 10.0.0.4 eq 69
172.31.254.1 = inside interface of router
10.0.0.4 = PC on the LAN running TFTP
2. access-list TFTPserver permit ip host 10.0.0.4 host 172.31.254.1
3. nat 0 access-list TFTPserver
4. I have then applied access-list as follows:
access-group TFTPserver in interface outside
access-group TFTP in interface outside
Please let me know where I am going wrong?
Raj please note that both router and Pix firewall are NAT/PAT enable.
cheers
Tony
12-01-2004 09:18 PM
Hi Tony,
I'm sorry.. you need to open UDP 69. Try opening this and then do a tftp from the router.. other configs of yours looks fine. just change this access-list:
access-list TFTP permit UDP host 172.31.254.1 host 10.0.0.4 eq 69
Also make sure you have this:
fixup protocol tftp 69
All the best..
Raj
12-02-2004 08:34 AM
I have tried that still no joy? Raj please write for me all acess-list lines and nat commands as they need to be; also let me know which interface to apply the access-lists, this way I can be sure I am not missing something or doing something wrong.
much appreciated.
Thank you
Tony
12-02-2004 09:03 AM
hi tony,
considering these facts,
tftp server ip - 10.0.0.4
router ip - 172.16.0.1 (say)
you need to configure the following:
nat (inside) 0 access-list nonat
access-list nonat permit ip host 10.0.0.4 host 172.16.0.1
access-list outside permit udp host 172.16.0.1 host 10.0.0.4 eq 69 (to allow tftp)
access-group outside in interface outside
I think you have configured all these right.. I think you might have left out the route in the router to 10.0.0.4 pointing to the pix outside.. pls check this..
ip route 10.0.0.4 255.255.255.255 x.x.x.x (PIX outside)
make sure you are able to ping 10.0.0.4 from the router.... then try doing tftp..
hope this helps.. all the best.. rate replies if found useful...
12-02-2004 10:33 AM
Raj
Top CCIE, it has worked, the static route entry to my LAN on the router was the missing link. Thanks a million.
cheers pal
Tony
12-02-2004 01:41 PM
thanks dude. you can mail me at raja_ccie@yahoo.com in future. keep in touch..
all the best..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: