Error backing up PIX config via tftp

I have setup a tftp-server for my PIX 515 to use to backup the config file.  I am using a 2nd ethernet interface and created an access-list entry to permit tftp traffic thru that interface.  This interface has a sec level of 0

Everytime I issue the wr net command I get an access violation error.

What am I leaving out?

Here is the tftp-server config info : tftp-server intf2 192.168.10.100 /pixfirewall

sobergfellAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
What are you using for the tftp server?
many tftp servers will not create the file automatically (security feature) and so you need to create an empty file with the correct name first.
0
sobergfellAuthor Commented:
I'm using Solarwinds tftp server.  I tried your solution but no love there, still the same error.

btw,  here is my nameif info:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security0

0
grbladesCommented:
Solarwinds running on a windows machine?
Have you made sure the windows firewall is disabled or you have an exception for tftp?
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

sobergfellAuthor Commented:
Windows FIrewall is turned off.

And yes, Solarwinds includes a very simple tftp server with thier Engineer's Toolset.

http://www.solarwinds.com/products/toolsets/engineer.aspx

0
sobergfellAuthor Commented:
Also,  here is what I am seeing on the PIX:

dcmo506e-fw01# wr net :pix.cfg
Building configuration...
TFTP write '/pixfirewall/pix.cfg' at 192.168.10.100 on interface 2
Access violation
[FAILED]

0
grbladesCommented:
What is the exact error you are getting?
What access-list did you create?
0
sobergfellAuthor Commented:
This is the error:

dcmo506e-fw01# wr net :pix.cfg
Building configuration...
TFTP write '/pixfirewall/pix.cfg' at 192.168.10.100 on interface 2
Access violation
[FAILED]


Here is the access-list I created:

access-list intf2 line 1 permit tcp any any eq 69 (hitcnt=0)

I notice that it shows zero hits..


0
grbladesCommented:
Its not normal to specify directories with tftp. Is there a subdirectory 'pixfirewall' within solarwinds configured directory?
What happens if you just try 'wri net'.
0
grbladesCommented:
tftp is UDP port 69 not tcp. I doubt you would need an access-list anyway since the traffic is coming from the pix itself.
0
sobergfellAuthor Commented:
Same error with wr net.

dcmo506e-fw01# wr net
Building configuration...
TFTP write '/pixfirewall' at 192.168.10.100 on interface 2
Access violation
[FAILED]
0
sobergfellAuthor Commented:
BTW the path on the server running the tftp server that I am pointing to exists.  \tftp\pixfirewall.

The root for the tftp server is the \tftp folder.

0
grbladesCommented:
So \tftp\pixfirewall is a file and not a directory. If it is a directory then try deleting it and creating an empty file with the same name and then try 'wri net' again.

Are you running version 6 or 7 of the PIX operating system?
0
sobergfellAuthor Commented:
No it is a directory.

Specifying a file also generates an error

sho ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)



0
grbladesCommented:
No within /tftp there should be just a file called 'pixfirewall'. It should not be just a directory.
Then try the 'wri net' command by itself.
0
sobergfellAuthor Commented:
created a file called pixfirewall within the tftp folder, then ran wri net.  same error.

dcmo506e-fw01# wr net
Building configuration...
TFTP write '/pixfirewall' at 192.168.10.100 on interface 2
Access violation

I checked the permissions on \tftp and made sure that everyone had write access.  

Same error



0
Alan Huseyin KayahanCommented:
   Hi sobergfell
          *When you open Solarwinds TFTP server screen, click File>Configure
          *In security tab, make sure "Send and receive files" is checked under Permitted Transfer Types
           *Also make sure "Allow all Ip addresses to send/receive files" is checked under Ip address Restrictions
          *If none works, give everyone full control permission in NTFS security tab of the root folder

Regards
0
Alan Huseyin KayahanCommented:
  *Also make ure tftp service is in running state in Start>Run>services.msc
0
sobergfellAuthor Commented:
Mr. Hussy,

Those were my first steps.

Confirmed all the settings you recommended of the tftp server were checked.

Also, both ntfs and shared permissions are set to everyone with full control.

0
sobergfellAuthor Commented:
And yes, it is running.  And I did stop and restart the service after making the changes to the configuration.
0
Alan Huseyin KayahanCommented:
  try issuing the following command
    copy running-config tftp://tftpserveripaddress/config.bin
0
sobergfellAuthor Commented:
She does not like command.

I do not think PIX IOS supports copy running-config like the router IOS does

dcmo506e-fw01# copy running-config tftp://192.168.10.100/config.bin
Usage:  copy capture:<capture-name> tftp://<location>/<pathname> [pcap]
        copy http[s]://[<user>:<password>@]<location>[:<port>]/<pathname>
                flash[:[image | pdm]]
        copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]
dcmo506e-fw01# copy tftp://192.168.10.100/tftp config.bin
Usage:  copy capture:<capture-name> tftp://<location>/<pathname> [pcap]
        copy http[s]://[<user>:<password>@]<location>[:<port>]/<pathname>
                flash[:[image | pdm]]
        copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]
dcmo506e-fw01# copy tftp://192.168.10.100/tftp flash:config.bin
Usage:  copy capture:<capture-name> tftp://<location>/<pathname> [pcap]
        copy http[s]://[<user>:<password>@]<location>[:<port>]/<pathname>
                flash[:[image | pdm]]
        copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]
dcmo506e-fw01# copy tftp://192.168.10.100/tftp :config.bin
Usage:  copy capture:<capture-name> tftp://<location>/<pathname> [pcap]
        copy http[s]://[<user>:<password>@]<location>[:<port>]/<pathname>
                flash[:[image | pdm]]
        copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]
dcmo506e-fw01#
0
Alan Huseyin KayahanCommented:
Try this one

write net 192.168.10.100:config
0
sobergfellAuthor Commented:
dcmo506e-fw01# write net 192.168.10.100:config
Building configuration...
TFTP write '/pixfirewall/config' at 192.168.10.100 on interface 2
Access violation
[FAILED]
dcmo506e-fw01#


Same error

0
Alan Huseyin KayahanCommented:
      Type arp -d for 5-6 times in command line of windows in tftp server, in PIX, type clear arp, then try again. If doesnt work, try installing tftp on a differnet machine
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sobergfellAuthor Commented:
Well that worked.

I installed the tftp server on a different server, and reconfgired the tftp-server on the PIX and it worked..

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.