Solved: IP helper-address question(s)

ClearviewCenter · ‎05-03-2011

I'm trying to make a tftp server available for the routers so they can do backups and what not, problem is I can't connect to said server from any of the branch locations (separate subnets) and using "ip helper-address" doesn't seem to be helping me. I can ping the host with the tftp server from these remote locations, but that doesn't help me out much here

To what interface should I apply that command? Do I need to do it on both ends of the the (IPSec) VPN tunnel(s)?

Thanks guys, I feel stoopid right now.

Some more background info: Network is hub and spoke, main office is the hub and where the tftp server resides. Main office does its DHCP via a windows2003 server on site, all other locations are served IPs by the router's DHCP servers.

Thotsaphon Lueangwattanaphong · ‎05-04-2011

Hi Dan,

Your configurations look good to me. Just add an "ip tftp source-interface vlan 1" command on branch router(Cisco260). And then test back up a configuration.

Please let us know how things work out.

Toshi

View solution in original post

garapoglou · ‎05-03-2011

Hi,

The command should be applied on the interface that will be receiving the TFTP requests as broadcasts. In the case you described, it should be applied on the inside interface of every router in every branch.

TFTP uses UDP port 69 which is covered by the "ip helper-address" command, so you don't need to create an ACL to permit it.

In case you need more help, please let us know.

Best regards,

Giorgos

Thotsaphon Lueangwattanaphong · ‎05-04-2011

Hi Dan,

Do you want routers to do a backup via site-to-site VPN? IMHO, you may not need an "ip helper-address" command in this case. Please provide us more information regarding your topology.

HTH,

Toshi

garapoglou · ‎05-04-2011

I agree. This can be done without the use of the "ip helper-address" command, but since the question was about the interface on which the command should be placed, I thought I should go with it.

Anyway, we can always go with alternative solutions depending on the topology.

Giorgos

ClearviewCenter · ‎05-04-2011

Yes, that is exactly the plan.

All the branch offices connect back to the main office via site-to-site VPN(s). Any host on a branch office LAN can ping back to the main office and reach any host on the main office LAN (just as intended). My only problem (I think!) is due to the UDP broadcast not being relayed through, so the branch routers cannot seee the tftp server running on the main office LAN.

The only other notable thing is that main office DHCP is done by a server, while branch office DHCP is done by the routers. Other than that I think its all straight-forward, but if I'm not describing something you feel is missing please just say the word and I'll go into as much detail as I can.

Thanks guys!

ClearviewCenter · ‎05-04-2011

Oddly enough this (I believe) was where I executed the command.

We're running 871 ISRs, all traffic is running through vlan1, exiting through fa0/4 to the VPN back to the main office where the tftp server is running.

I applied the ip helper-address X.X.X.X command on vlan1 (when I tried to apply it on any of the physical interfaces it wouldn't take the command anyway.) on a branch office router, but when I do a copy run tftp it simply times out. when I do the same thing (without the ip helper-address) on the main office router I can backup my config without a problem, so I think it has to be something I'm doing wrong with the ip helper-address command (though it could be something else I'm just not seeing.)

Thank you for the help,

Dan

cadet alain · ‎05-04-2011

Hi,

if you know the tftp server ip address then in the backup process you give this info and then there is no broadcast involved whatsoever so I really don't understand the need for the ip helper-address.

Can we see your crypto ACL? as well as your NAT ACL or route-map.

Regards.

Alain.

Don't forget to rate helpful posts.

ClearviewCenter · ‎05-04-2011

I don't understand the issue either - when trying to run the backup I issue a "copy run tftp"

command and specify the tftp server's IP at the next prompt

This is what's going on:

cisco260#copy run tftp
Address or name of remote host []? 192.168.0.101
Destination filename [cisco260-confg]?
.....
%Error opening tftp://192.168.0.101/cisco260-confg (Timed out)

Maybe I need a VRF in the ip helper-address command? I'm just spitballing here, I've never done that and really have no knowledge of VRFs (I'm taking intro Cisco courses right now, someone else set these routers up)

Syntax Description:
ip helper-address ['vrf name | global] address [redundancy' vrg-name]

-------------------------------------------

Here's the part of the branch office config you requested:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ************ address PUBLICIP.OF.MAIN.OFFICE
!
!
crypto ipsec transform-set mainset esp-3des esp-sha-hmac
!
crypto map mainmap 10 ipsec-isakmp
set peer PUBLICIP.OF.MAIN.OFFICE
set transform-set mainset
match address 101

....

ip access-list extended nat
deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
!
access-list 15 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
route-map nat permit 1
match ip address nat

---------------------------------------------------------

And the cooresponding sections of the main office config:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ************ address PUBLICIP.OF.BRANCH.OFFICE
!
!
crypto ipsec transform-set mainset esp-3des esp-sha-hmac

crypto map mainmap 16 ipsec-isakmp
set peer PUBLICIP.OF.BRANCH.OFFICE
set transform-set mainset
match address 107

................

ip access-list extended nat
deny   ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
deny   ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
deny   ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
deny   ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
deny   ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255
deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
deny   ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
!
access-list 15 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 107 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
route-map nat permit 1
match ip address nat

-------------------------------------------------

If I've missed anything just let me know.

Thanks again for the help everyone,

Dan

Thotsaphon Lueangwattanaphong · ‎05-04-2011

Hi,

First off, there is no need to use an "ip helper-address" command, including VRF. (grin) Please post the current running configuration,excluding sensitive information. The steps are as follows:

1. It's a good idea to specific a source IP address for TFTP packet. That's why I want to see the IP address configured on your lan interface. An "ip tftp source-interface xxx" command is used.

2. Modify your interesting traffic to allow TFTP packet to be forwarded through the tunnel. You've gotta do this on both VPN concentrator.

3. Modify ACL of NAT to deny TFTP packet before getting in NAT process.

HTH,

Toshi

ClearviewCenter · ‎05-04-2011

Thanks Toshi.

I've editted out just the sensitive stuff, and for now am only concerned with "PUBLIC.IP.BRANCH.OFFICE", while the PUBLIC.IP.OTHERBRANCH.OFFICE will get set up later, but I figured I'd leave as much of the config intact as I could.

Thotsaphon Lueangwattanaphong · ‎05-04-2011

Hi Dan,

Your configurations look good to me. Just add an "ip tftp source-interface vlan 1" command on branch router(Cisco260). And then test back up a configuration.

Please let us know how things work out.

Toshi

ClearviewCenter · ‎05-04-2011

That worked!

Thank you SO much for your help. I feel a lot better now that we can actually back these up (before I was just doing copy/paste from putty to backup what I could.)

Thotsaphon Lueangwattanaphong · ‎05-04-2011

Hi Dan,

I'm glad that I can help you solve this problem. (grin)

Good Luck

Toshi