05-03-2011 12:36 PM - edited 03-06-2019 04:53 PM
I'm trying to make a tftp server available for the routers so they can do backups and what not, problem is I can't connect to said server from any of the branch locations (separate subnets) and using "ip helper-address" doesn't seem to be helping me. I can ping the host with the tftp server from these remote locations, but that doesn't help me out much here
To what interface should I apply that command? Do I need to do it on both ends of the the (IPSec) VPN tunnel(s)?
Thanks guys, I feel stoopid right now.
Some more background info: Network is hub and spoke, main office is the hub and where the tftp server resides. Main office does its DHCP via a windows2003 server on site, all other locations are served IPs by the router's DHCP servers.
Solved! Go to Solution.
05-04-2011 08:10 AM
Hi Dan,
Your configurations look good to me. Just add an "ip tftp source-interface vlan 1" command on branch router(Cisco260). And then test back up a configuration.
Please let us know how things work out.
Toshi
05-03-2011 11:17 PM
Hi,
The command should be applied on the interface that will be receiving the TFTP requests as broadcasts. In the case you described, it should be applied on the inside interface of every router in every branch.
TFTP uses UDP port 69 which is covered by the "ip helper-address" command, so you don't need to create an ACL to permit it.
In case you need more help, please let us know.
Best regards,
Giorgos
05-04-2011 01:32 AM
Hi Dan,
Do you want routers to do a backup via site-to-site VPN? IMHO, you may not need an "ip helper-address" command in this case. Please provide us more information regarding your topology.
HTH,
Toshi
05-04-2011 01:58 AM
I agree. This can be done without the use of the "ip helper-address" command, but since the question was about the interface on which the command should be placed, I thought I should go with it.
Anyway, we can always go with alternative solutions depending on the topology.
Giorgos
05-04-2011 06:22 AM
Yes, that is exactly the plan.
All the branch offices connect back to the main office via site-to-site VPN(s). Any host on a branch office LAN can ping back to the main office and reach any host on the main office LAN (just as intended). My only problem (I think!) is due to the UDP broadcast not being relayed through, so the branch routers cannot seee the tftp server running on the main office LAN.
The only other notable thing is that main office DHCP is done by a server, while branch office DHCP is done by the routers. Other than that I think its all straight-forward, but if I'm not describing something you feel is missing please just say the word and I'll go into as much detail as I can.
Thanks guys!
05-04-2011 06:15 AM
Oddly enough this (I believe) was where I executed the command.
We're running 871 ISRs, all traffic is running through vlan1, exiting through fa0/4 to the VPN back to the main office where the tftp server is running.
I applied the ip helper-address X.X.X.X command on vlan1 (when I tried to apply it on any of the physical interfaces it wouldn't take the command anyway.) on a branch office router, but when I do a copy run tftp it simply times out. when I do the same thing (without the ip helper-address) on the main office router I can backup my config without a problem, so I think it has to be something I'm doing wrong with the ip helper-address command (though it could be something else I'm just not seeing.)
Thank you for the help,
Dan
05-04-2011 06:52 AM
Hi,
if you know the tftp server ip address then in the backup process you give this info and then there is no broadcast involved whatsoever so I really don't understand the need for the ip helper-address.
Can we see your crypto ACL? as well as your NAT ACL or route-map.
Regards.
Alain.
05-04-2011 07:21 AM
I don't understand the issue either - when trying to run the backup I issue a "copy run tftp"
command and specify the tftp server's IP at the next prompt
This is what's going on:
cisco260#copy run tftp
Address or name of remote host []? 192.168.0.101
Destination filename [cisco260-confg]?
.....
%Error opening tftp://192.168.0.101/cisco260-confg (Timed out)
Maybe I need a VRF in the ip helper-address command? I'm just spitballing here, I've never done that and really have no knowledge of VRFs (I'm taking intro Cisco courses right now, someone else set these routers up)
Syntax Description:
ip helper-address ['vrf name | global] address [redundancy' vrg-name]
-------------------------------------------
Here's the part of the branch office config you requested:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ************ address PUBLICIP.OF.MAIN.OFFICE
!
!
crypto ipsec transform-set mainset esp-3des esp-sha-hmac
!
crypto map mainmap 10 ipsec-isakmp
set peer PUBLICIP.OF.MAIN.OFFICE
set transform-set mainset
match address 101
....
ip access-list extended nat
deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
!
access-list 15 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
route-map nat permit 1
match ip address nat
---------------------------------------------------------
And the cooresponding sections of the main office config:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ************ address PUBLICIP.OF.BRANCH.OFFICE
!
!
crypto ipsec transform-set mainset esp-3des esp-sha-hmac
crypto map mainmap 16 ipsec-isakmp
set peer PUBLICIP.OF.BRANCH.OFFICE
set transform-set mainset
match address 107
................
ip access-list extended nat
deny ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
!
access-list 15 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 107 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
route-map nat permit 1
match ip address nat
-------------------------------------------------
If I've missed anything just let me know.
Thanks again for the help everyone,
Dan
05-04-2011 07:37 AM
Hi,
First off, there is no need to use an "ip helper-address" command, including VRF. (grin) Please post the current running configuration,excluding sensitive information. The steps are as follows:
1. It's a good idea to specific a source IP address for TFTP packet. That's why I want to see the IP address configured on your lan interface. An "ip tftp source-interface xxx" command is used.
2. Modify your interesting traffic to allow TFTP packet to be forwarded through the tunnel. You've gotta do this on both VPN concentrator.
3. Modify ACL of NAT to deny TFTP packet before getting in NAT process.
HTH,
Toshi
05-04-2011 08:00 AM
05-04-2011 08:10 AM
Hi Dan,
Your configurations look good to me. Just add an "ip tftp source-interface vlan 1" command on branch router(Cisco260). And then test back up a configuration.
Please let us know how things work out.
Toshi
05-04-2011 08:27 AM
That worked!
Thank you SO much for your help. I feel a lot better now that we can actually back these up (before I was just doing copy/paste from putty to backup what I could.)
05-04-2011 08:28 AM
Hi Dan,
I'm glad that I can help you solve this problem. (grin)
Good Luck
Toshi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide