[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1828
  • Last Modified:

Error backing up PIX config via tftp

I have setup a tftp-server for my PIX 515 to use to backup the config file.  I am using a 2nd ethernet interface and created an access-list entry to permit tftp traffic thru that interface.  This interface has a sec level of 0

Everytime I issue the wr net command I get an access violation error.

What am I leaving out?

Here is the tftp-server config info : tftp-server intf2 192.168.10.100 /pixfirewall

0
sobergfell
Asked:
sobergfell
  • 13
  • 7
  • 5
1 Solution
 
grbladesCommented:
What are you using for the tftp server?
many tftp servers will not create the file automatically (security feature) and so you need to create an empty file with the correct name first.
0
 
sobergfellAuthor Commented:
I'm using Solarwinds tftp server.  I tried your solution but no love there, still the same error.

btw,  here is my nameif info:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security0

0
 
grbladesCommented:
Solarwinds running on a windows machine?
Have you made sure the windows firewall is disabled or you have an exception for tftp?
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
sobergfellAuthor Commented:
Windows FIrewall is turned off.

And yes, Solarwinds includes a very simple tftp server with thier Engineer's Toolset.

http://www.solarwinds.com/products/toolsets/engineer.aspx

0
 
sobergfellAuthor Commented:
Also,  here is what I am seeing on the PIX:

dcmo506e-fw01# wr net :pix.cfg
Building configuration...
TFTP write '/pixfirewall/pix.cfg' at 192.168.10.100 on interface 2
Access violation
[FAILED]

0
 
grbladesCommented:
What is the exact error you are getting?
What access-list did you create?
0
 
sobergfellAuthor Commented:
This is the error:

dcmo506e-fw01# wr net :pix.cfg
Building configuration...
TFTP write '/pixfirewall/pix.cfg' at 192.168.10.100 on interface 2
Access violation
[FAILED]


Here is the access-list I created:

access-list intf2 line 1 permit tcp any any eq 69 (hitcnt=0)

I notice that it shows zero hits..


0
 
grbladesCommented:
Its not normal to specify directories with tftp. Is there a subdirectory 'pixfirewall' within solarwinds configured directory?
What happens if you just try 'wri net'.
0
 
grbladesCommented:
tftp is UDP port 69 not tcp. I doubt you would need an access-list anyway since the traffic is coming from the pix itself.
0
 
sobergfellAuthor Commented:
Same error with wr net.

dcmo506e-fw01# wr net
Building configuration...
TFTP write '/pixfirewall' at 192.168.10.100 on interface 2
Access violation
[FAILED]
0
 
sobergfellAuthor Commented:
BTW the path on the server running the tftp server that I am pointing to exists.  \tftp\pixfirewall.

The root for the tftp server is the \tftp folder.

0
 
grbladesCommented:
So \tftp\pixfirewall is a file and not a directory. If it is a directory then try deleting it and creating an empty file with the same name and then try 'wri net' again.

Are you running version 6 or 7 of the PIX operating system?
0
 
sobergfellAuthor Commented:
No it is a directory.

Specifying a file also generates an error

sho ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)



0
 
grbladesCommented:
No within /tftp there should be just a file called 'pixfirewall'. It should not be just a directory.
Then try the 'wri net' command by itself.
0
 
sobergfellAuthor Commented:
created a file called pixfirewall within the tftp folder, then ran wri net.  same error.

dcmo506e-fw01# wr net
Building configuration...
TFTP write '/pixfirewall' at 192.168.10.100 on interface 2
Access violation

I checked the permissions on \tftp and made sure that everyone had write access.  

Same error



0
 
Alan Huseyin KayahanCommented:
   Hi sobergfell
          *When you open Solarwinds TFTP server screen, click File>Configure
          *In security tab, make sure "Send and receive files" is checked under Permitted Transfer Types
           *Also make sure "Allow all Ip addresses to send/receive files" is checked under Ip address Restrictions
          *If none works, give everyone full control permission in NTFS security tab of the root folder

Regards
0
 
Alan Huseyin KayahanCommented:
  *Also make ure tftp service is in running state in Start>Run>services.msc
0
 
sobergfellAuthor Commented:
Mr. Hussy,

Those were my first steps.

Confirmed all the settings you recommended of the tftp server were checked.

Also, both ntfs and shared permissions are set to everyone with full control.

0
 
sobergfellAuthor Commented:
And yes, it is running.  And I did stop and restart the service after making the changes to the configuration.
0
 
Alan Huseyin KayahanCommented:
  try issuing the following command
    copy running-config tftp://tftpserveripaddress/config.bin
0
 
sobergfellAuthor Commented:
She does not like command.

I do not think PIX IOS supports copy running-config like the router IOS does

dcmo506e-fw01# copy running-config tftp://192.168.10.100/config.bin
Usage:  copy capture:<capture-name> tftp://<location>/<pathname> [pcap]
        copy http[s]://[<user>:<password>@]<location>[:<port>]/<pathname>
                flash[:[image | pdm]]
        copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]
dcmo506e-fw01# copy tftp://192.168.10.100/tftp config.bin
Usage:  copy capture:<capture-name> tftp://<location>/<pathname> [pcap]
        copy http[s]://[<user>:<password>@]<location>[:<port>]/<pathname>
                flash[:[image | pdm]]
        copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]
dcmo506e-fw01# copy tftp://192.168.10.100/tftp flash:config.bin
Usage:  copy capture:<capture-name> tftp://<location>/<pathname> [pcap]
        copy http[s]://[<user>:<password>@]<location>[:<port>]/<pathname>
                flash[:[image | pdm]]
        copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]
dcmo506e-fw01# copy tftp://192.168.10.100/tftp :config.bin
Usage:  copy capture:<capture-name> tftp://<location>/<pathname> [pcap]
        copy http[s]://[<user>:<password>@]<location>[:<port>]/<pathname>
                flash[:[image | pdm]]
        copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]
dcmo506e-fw01#
0
 
Alan Huseyin KayahanCommented:
Try this one

write net 192.168.10.100:config
0
 
sobergfellAuthor Commented:
dcmo506e-fw01# write net 192.168.10.100:config
Building configuration...
TFTP write '/pixfirewall/config' at 192.168.10.100 on interface 2
Access violation
[FAILED]
dcmo506e-fw01#


Same error

0
 
Alan Huseyin KayahanCommented:
      Type arp -d for 5-6 times in command line of windows in tftp server, in PIX, type clear arp, then try again. If doesnt work, try installing tftp on a differnet machine
0
 
sobergfellAuthor Commented:
Well that worked.

I installed the tftp server on a different server, and reconfgired the tftp-server on the PIX and it worked..

0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 13
  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now