11-06-2009 08:23 AM - edited 03-04-2019 06:38 AM
Here is the acces-list running on a vpn 1811 router. The user cant tftp to our local server 192.168.117.29
access-list 1 permit 192.168.157.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 permit 192.168.157.0 0.0.0.255
access-list 2 deny any
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 25 permit 192.168.0.0 0.0.255.255
access-list 101 permit udp ...213.176.0 0.0.0.255 any eq 10000
access-list 101 permit udp xxx176.0 0.0.0.255 any eq non500-isakmp
access-list 101 permit udp xxxx76.0 0.0.0.255 any eq isakmp
access-list 101 permit esp xxxx.0 0.0.0.255 any
access-list 101 permit ahp xxxx 0.0.0.255 any
access-list 101 permit udp xxx72.0 0.0.0.255 any eq 10000
access-list 101 permit udp xxxx72.0 0.0.0.255 any eq non500-isakmp
access-list 101 permit udp xxx72.0 0.0.0.255 any eq isakmp
access-list 101 permit esp xxxx.0 0.0.0.255 any
access-list 101 permit ahp xxx0 0.0.0.255 any
acess-list 101 permit udp host 195.6.1.1 eq domain any
access-list 101 permit udp host 4.2.2.2 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 is applied to the outside interface "in"
access-list 100 is applied to vlan interfaces "in"
11-06-2009 09:37 AM
Richard
There is no statement in access list 101 that permits TFTP. And access list 101 has deny ip any any at its bottom. As you may remember in access lists that end with deny ip any any, any thing that is not permitted is denied.
So yes your access list is denying the TFTP traffic.
HTH
Rick
11-06-2009 10:03 AM
Hi rick,
My question would be..since the tftp request to download a file is coming from the p.c. Wouldn't the access list that is blocking it, be applied to the interface closest to pc?
In this case the inside interface.
I can find access list 100 on this router..but here is access list 100
on a vpn/router that is having the same issue.
Extended IP access list 100
10 deny ip host 255.255.255.255 any
20 deny ip 127.0.0.0 0.255.255.255 any
30 permit ip any any (68002 matches)
interface Vlan1
description Inside VPN Enable
ip address 192.168.161.1 255.
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
no autostate
and access list 100 is applied to the "internet" connection
nterface FastEthernet0
description Outside
ip address dhcp client-id FastEthernet0
ip access-group 101 in
no ip redirects
11-06-2009 10:31 AM
Richard
In your original post you say:"The user cant tftp to our local server 192.168.117.29" and this led me to assume that the user was remote. Now you seem to be saying that the user is local. Perhaps I need to ask you for clarification about the topology. Where is the user (and what address) and what address receives the request from the user? Where is the server?
Also it would be helpful to know if the user request is received as part of a VPN session or what?
HTH
Rick
11-06-2009 10:49 AM
11-08-2009 08:26 PM
Richard
In your original post you identify the TFTP server as 192.168.117.29. and in this post you identify it as 192.168.117.26. This inconsistency is confusing.
In the config that you post the only mention of 192.168.117 is a permit statement in the access list. The network does not appear to be a connected interface and there is no route statement to that network. Either this is the issue or you are providing such incomplete information that I will not be able to provide any further assistance with this.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide