Craig,
I had an instance last week where we were trying to block the reply traffic
from a TFTP server with an ACL (the joys of an exercise in a Cisco course).
What the instructor found was that in one of the RFC's (or similar tech doc)
that some implementations of TFTP servers, although contacted on UDP/69,
answer on udp/XX69. This would get dropped by a firewall tracking the UDP
traffic as it would appear as a new connection rather than a reply to an
existing one.
Hope this helps.
M@
--
"Some things are eternal by nature,
others by consequence"
-----Original Message-----
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of Craig
Van Tassle
Sent: Thursday, 15 February 2007 1:45 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] TFTP over vpns
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have tried that. The reason we are using TFTP is for our VOIP phones to
pull
down the config setting upon reboot.
Over all I prefer SCP or SFTP but in this case its not avaliable.
Akash Rao wrote:
> Craig,
>
> It is tough to know what might be wrong without checking the logs of the
> firewalls. I hope you have tried to telnet to the tftp server on port 69
> (default port for tftp) from a client in remote lan and confirmed that
> the tftp server is running. Now, try the same test with a client in "my
> lan" and confirm the same.
>
> On a seperate note, i would suggest using scp or sftp rather than tftp
> to transfer files. Since these are more secure.
>
> Cheers,
>
> Akash
>
> On 2/10/07, * Craig Van Tassle* <craig@codestorm.org
> <mailto:craig@codestorm.org>> wrote:
>
> I have a couple of remote sites that are using Cisco firewalls for
> Lan-Lan vpn.
> I have all the proper rules for so I can remote connect to servers
> on the other
> side, and ping works fine. However I'm trying to use something like
> tftp over
> from my lan to the remote lan. It does not seem to work. Any ideas?
>
> Thanks
> Craig
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
<mailto:firewall-wizards@listserv.icsalabs.com>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> ------------------------------------------------------------------------
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF0yCCAOTIJ89W4sIRAv5HAJ4rZwHnKZsacxQuCsnGkfVvKWBqQACgkFOj
LHGsDrR0Fip1H3E1Ima4SIk=
=7MNZ
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|