Solved

Cisco - cannot upload config to tftp server

Posted on 2009-05-15
20
1,892 Views
Last Modified: 2012-05-07
Hi,
Can anyone identify why I cannot copy my running config to a TFTP server.  The TFTP server works fine for a couple of cisco routers but for many others it does not work.
Thanks

cisco#copy running tftp:
Address or name of remote host []? www.abc.com
Destination filename [cisco-confg]?
.....
%Error opening tftp://www.abc.com/cisco-confg (Timed out)
Building configuration...
 
Current configuration : 8097 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$3KY0$isZgjoD4vkjPXlOl1yuDn0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 192.168.0.1
ip name-server 4.2.2.1
ip name-server 4.2.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4292226846
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4292226846
 revocation-check none
 rsakeypair TP-self-signed-4292226846
!
!
crypto pki certificate chain TP-self-signed-4292226846
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34323932 32323638 3436301E 170D3032 30333031 30303035 
  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32393232 
  32363834 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100DCA4 CDE5BBF7 7E03F90B AA669B6F 93490992 50EF1C3E B4AA239D A01CF0F3 
  15136321 C3BB01C6 076C20C6 095162F7 C7CB3754 54F26D36 0D1CDFCC FF4C2C45 
  E5A3A1DE 70FA283D 37BDD6CF 91E19849 B7DFAB1F 79A3B8CF 441685A7 18872713 
  15AFB954 33DC1DCC D653CE10 F4952956 33EDA35D 74A22034 3A1E7A24 89BBD6C0 
  DC730203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D1104 18301682 14636973 636F2E79 6F757264 6F6D6169 6E2E636F 6D301F06 
  03551D23 04183016 8014C1EA 6F5A2A86 547E96A7 999F46E4 37475729 444E301D 
  0603551D 0E041604 14C1EA6F 5A2A8654 7E96A799 9F46E437 47572944 4E300D06 
  092A8648 86F70D01 01040500 03818100 925ED82F C4CBF5A3 E4370CCA 3A8D8C63 
  78875CCA B30BFE95 3701816B 9B8BFE45 B131125E 1AE8879F BEC29FC4 BD7FFC54 
  64D0D2C3 3BC2FC3C 1C206858 248F97A4 2CD928E3 F91E7907 68BFB8D7 20758F06 
  7980DE3B C124792A F930306F 1D4680AE E912F59A 3B355365 4B9225C4 6FBD7A1A 
  82651F9E 5CAF0964 D19ECFA6 A2D82E52
  quit
username ciscoadmin privilege 15 secret 5 $1$4QXV$WqOh9PBN3G/FHVKabdAO9/
 
!
!
controller DSL 0
 mode atm
 line-term cpe
 line-mode 2-wire line-zero
 dsl-mode shdsl symmetric annex B
 line-rate auto
! 
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.250 255.255.255.0
 ip access-group sdm_vlan1_in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxx@gotadsl.co.uk
 ppp chap password 7 07043359485A1D0A01
 ppp pap sent-username xxxxx@gotadsl.co.uk password 7 10451B0C034416041A
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 192.168.254.250
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.0.1 3389 interface Dialer0 3390
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.253 22 interface Dialer0 22
ip nat inside source static tcp 192.168.0.253 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.253 123 interface Dialer0 123
ip nat inside source static tcp 192.168.0.253 2222 interface Dialer0 2222
ip nat inside source static tcp 192.168.0.253 2224 interface Dialer0 2224
ip nat inside source static tcp 192.168.0.253 2226 interface Dialer0 2226
ip nat inside source static tcp 192.168.0.253 2228 interface Dialer0 2228
ip nat inside source static tcp 192.168.0.253 5666 interface Dialer0 5666
!
ip access-list extended sdm_vlan1_in
 remark SDM_ACL Category=1
 permit tcp host 192.168.0.1 any eq smtp
 deny   tcp any any eq smtp
 permit ip any any
 permit udp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=3
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 8080
access-list 101 permit tcp any any eq 5666
access-list 101 permit tcp any any eq 2228
access-list 101 permit tcp any any eq 2226
access-list 101 permit tcp any any eq 2224
access-list 101 permit tcp any any eq 2222
access-list 101 permit tcp any any eq 123
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq www
access-list 101 permit tcp 195.90.96.0 0.0.1.255 any eq smtp
access-list 101 permit tcp host 62.3.194.3 any eq 3390
access-list 101 permit tcp host 62.3.194.3 any eq 3389
access-list 101 permit tcp host 81.149.56.6 any eq 3389
access-list 101 permit tcp host 213.123.130.137 any eq 3389
access-list 101 permit tcp 212.183.0.0 0.0.255.255 any eq 3389
access-list 101 permit tcp host 213.123.128.61 any eq 3389
access-list 101 permit tcp 81.134.3.0 0.0.0.255 any eq 3389
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Comment
Question by:nmxsupport
  • 11
  • 9
20 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396499
Does it work using the IP address of your TFTP server instead of domain name?
0
 

Author Comment

by:nmxsupport
ID: 24396729
Sorry I guess I should have mentioned but no it does not work using IP address either.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396738
What is the IP of the TFTP server?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:nmxsupport
ID: 24396849
62.3.194.34
0
 

Author Comment

by:nmxsupport
ID: 24396880
Apologies that was wrong it is 62.3.194.35
0
 

Author Comment

by:nmxsupport
ID: 24396952
Interestingly taking a remote site that does not work and using another computer - FTP works fine using IE but using command prompt FTP it hangs at the following,

ftp> dir
150 Opening ASCII mode data connection for /bin/ls.

whereas from a site that does not haev problems, the same command,

ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
550 .: Access is denied.
ftp>

Is this an issue with active/passive FTP and the router?
0
 

Author Comment

by:nmxsupport
ID: 24397025
Further reading seems to inidicate that command line FTP is Active FTP
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24397058
Since you are connecting to a TFTP server on the Internet, the access-list on WAN interface is the issue.

Try adding this:

ip inspect name DEFAULT100 tcp router-traffic
ip inspect name DEFAULT100 udp router-traffic
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 ftp
0
 

Author Comment

by:nmxsupport
ID: 24397221
Hi I have done this but it didn't make any difference
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397245
Okay.  Try this:

conf t
ip access-list ext 101
no deny   ip any any
permit ip host 62.3.194.35 any
deny ip any any

If that still doesn't work, can you TFTP to that IP from other routers?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397311
Actually, try this:

conf t
ip access-list ext 100
permit ip 192.168.0.0 0.0.0.255 any
no permit ip any any

There are funky issues when you use "permit ip any any" in the NAT access-list.  This changes it to specify only the LAN subnet instead.
0
 

Author Comment

by:nmxsupport
ID: 24397422
Is this as well as the config below?

ip inspect name DEFAULT100 tcp router-traffic
ip inspect name DEFAULT100 udp router-traffic
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 ftp
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397432
You can remove that if desired but it doesn't hurt to leave it.  Leave the FTP one for sure.

Add this though.

conf t
ip access-list ext 101
no deny   ip any any
permit ip host 62.3.194.35 any
deny ip any any

TFTP isn't very Firewall friendly and there isn't inspection for TFTP from the router itself which is what I was hoping for.
0
 

Author Comment

by:nmxsupport
ID: 24397538
Bingo that seems to work!
I am finishing for the weekend now but will look again on Monday at this.
Thankyou
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397638
Cool.  Sounds good.
0
 

Author Comment

by:nmxsupport
ID: 24429360
Hi JFrederick29
I have been through this with around 5 or 6 different Cisco routers and the following command alone is enough to get this working
ip inspect name DEFAULT100 tcp router-traffic
What does this command do and why do you think it not work without this?
0
 

Author Comment

by:nmxsupport
ID: 24429442
I am also raising a new call for routers with a config created using SDM 2.5 in which the patch above does not fix it - I think it's only fair to raise a new call.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24430721
That command applies the IOS Firewall inspection to TCP traffic initiated from the router itself (not traffic passing through the router).  Are you sure this was the only thing required?  Did you remove the access-list entry?  The only reason I ask is because TFTP is UDP...
0
 

Author Comment

by:nmxsupport
ID: 24431298
I actually used FTP in the end
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24431407
Ahh, okay, well that would explain why that worked.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question