Error when downloading configuration to TFTP - HELPPPPP

morbfrhtc · ‎02-10-2005

Hi,

I tried to download current configuration from already configured PIX515e, but without success. I obtained this message: "Timed out attempting to connect". I have configured tftp-server command to outside IP address with file specified(remote administering). But now I am localy connected in that LAN to inside interface, so I used "write net" command with all parameters to avoid default settings(tftp-server). I wrote "write net XX.XX.XX.XX:new.txt

When I press enter this output is given to me:

write net XXX.XX.XX.XX:new.txt

Building configuration...

TFTP write 'TFTP-Root/new.txt' at XXX.XX.XX.XX on interface 1

Timed out attempting to connect

[FAILED]

I am connected to interface 1(inside) as I said. I have all IP settings set well(obtained from DHCP), I am possible to ping from this station the PIX and vice versa.

Do anybody have an idea about what cause this problem?

Thanks.

jboyer · ‎02-10-2005

Do you have a TFTP server daemon running on the destination address? Is it writable? Most are configured read-only by default.

On your destination type 'netstat -a -n' and look for UDP port 69 listening - this will be a TFTP server Daemon.

You can get the config to a text file via copy/paste from a 'show run', it will give you the exact same output.

stevep · ‎02-10-2005

You mention that you have configured the tftp-server command to an outside IP address, yet you describe that you are on the inside of the PIX. Is that correct.

If so you need to delete the tftp-server command and reconfigure it specifying where the tftp-server (your workstation) resides.

Usage: tftp-server []

tftp-server inside 10.0.0.1 ukjpm001

Have you any security configured on your tftp-server which prevents file download? As an example Solarwinds TFTP-server only allows for receive only once installed. That is should you wish to upload/download files you have to explicitly edit the security settings

morbfrhtc · ‎02-10-2005

Yes, I am reside on inside interface now and I have tftp-server configured to outside interface. But that doesn't matter because I didn't make this ->

write net :

but this(I configured all the parameters-so it is as programmers used to say - overriden)

write net XXX.XX.XX.XX:backup.txt

And as I said before I have permitted to receive and transfer files(on TFTP server). And of course(because I have WinXP-SP2), I have permited to communicate with this soft/port allowed(in Windows firewall). I can ping from pix to my workstation and vice versa, and TFTP is configured well because I downloaded IOS image(for backup) from CAT4507R one minute ago on that same LAN.

Maybe I am stupid ;-), but "I am at the end".

stevep · ‎02-11-2005

OK, let's try to simplify this, if you have the following IP addresses assigned to the PIX;

ip address outside 192.168.1.1 255.255.255.0

ip address inside 10.0.0.1 255.255.255.0

ip address DMZ 172.16.0.1 255.255.255.0

and the following tftp-server defined;

tftp-server outside 192.168.1.100 pix_525_config

Obviously you require your host of 192.168.1.100, to have the a tftp daemon running on it.

When you issue a wr net providing that you have no personal firewall blocking access to port 69 on host 192.168.1.100 then it should work fine.

However, let's say that you are now sat at a PC residing on the INSIDE with an IP address of 10.0.0.100/24 and you are running a tftp daemon on it.

When you issue a wr net at the PIX expecting your INSIDE host of 10.0.0.100/24 to receive the config, it's not going to happen. The PIX will attempt to write it's config to the tftp-server which resides on the OUTSIDE interface (192.168.1.100). Now if the tftp-server on the OUTSIDE is no longer listening, perhaps because you have closed down the tftp daemon you will receive the error "Timed out attempting to connect" This is because the PIX cannot write to 192.168.1.100 as it's shut down and the PIX does not know about host 10.0.0.100 in terms of it being a defined tftp-server.

Does this make sense to you?

morbfrhtc · ‎02-11-2005

YES, it's clear ;o). I was sure(I read it - maybe I didn't understand it properly) that when I will define all parameters in "write net"commnad(IP addr.,path), settings in tftp-server command already set will be ignored. Like this:

When tftp-server is set(example):

tftp-server outside 192.168.10.5:backup

write net :

(in this case settings in tftp-server is used)

OR

write net 193.10.4.5:backup.txt

(settings in tftp-server is ignored)

So, now it seems that I was mistaken ;-(.