Solved

Cisco - cannot upload config to tftp server

Posted on 2009-05-15
20
1,799 Views
Last Modified: 2012-05-07
Hi,
Can anyone identify why I cannot copy my running config to a TFTP server.  The TFTP server works fine for a couple of cisco routers but for many others it does not work.
Thanks

cisco#copy running tftp:
Address or name of remote host []? www.abc.com
Destination filename [cisco-confg]?
.....
%Error opening tftp://www.abc.com/cisco-confg (Timed out)
Building configuration...
 

Current configuration : 8097 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 $1$3KY0$isZgjoD4vkjPXlOl1yuDn0

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

ip subnet-zero

no ip source-route

ip cef

!

!

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip tcp synwait-time 10

no ip bootp server

ip domain name yourdomain.com

ip name-server 192.168.0.1

ip name-server 4.2.2.1

ip name-server 4.2.2.2

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto pki trustpoint TP-self-signed-4292226846

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4292226846

 revocation-check none

 rsakeypair TP-self-signed-4292226846

!

!

crypto pki certificate chain TP-self-signed-4292226846

 certificate self-signed 01

  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 34323932 32323638 3436301E 170D3032 30333031 30303035 

  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32393232 

  32363834 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100DCA4 CDE5BBF7 7E03F90B AA669B6F 93490992 50EF1C3E B4AA239D A01CF0F3 

  15136321 C3BB01C6 076C20C6 095162F7 C7CB3754 54F26D36 0D1CDFCC FF4C2C45 

  E5A3A1DE 70FA283D 37BDD6CF 91E19849 B7DFAB1F 79A3B8CF 441685A7 18872713 

  15AFB954 33DC1DCC D653CE10 F4952956 33EDA35D 74A22034 3A1E7A24 89BBD6C0 

  DC730203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603 

  551D1104 18301682 14636973 636F2E79 6F757264 6F6D6169 6E2E636F 6D301F06 

  03551D23 04183016 8014C1EA 6F5A2A86 547E96A7 999F46E4 37475729 444E301D 

  0603551D 0E041604 14C1EA6F 5A2A8654 7E96A799 9F46E437 47572944 4E300D06 

  092A8648 86F70D01 01040500 03818100 925ED82F C4CBF5A3 E4370CCA 3A8D8C63 

  78875CCA B30BFE95 3701816B 9B8BFE45 B131125E 1AE8879F BEC29FC4 BD7FFC54 

  64D0D2C3 3BC2FC3C 1C206858 248F97A4 2CD928E3 F91E7907 68BFB8D7 20758F06 

  7980DE3B C124792A F930306F 1D4680AE E912F59A 3B355365 4B9225C4 6FBD7A1A 

  82651F9E 5CAF0964 D19ECFA6 A2D82E52

  quit

username ciscoadmin privilege 15 secret 5 $1$4QXV$WqOh9PBN3G/FHVKabdAO9/
 

!

!

controller DSL 0

 mode atm

 line-term cpe

 line-mode 2-wire line-zero

 dsl-mode shdsl symmetric annex B

 line-rate auto

! 

!

!

!

interface BRI0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 encapsulation hdlc

 ip route-cache flow

 shutdown

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

 description $ES_WAN$$FW_OUTSIDE$

 pvc 0/38 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

 ip address 192.168.0.250 255.255.255.0

 ip access-group sdm_vlan1_in in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

!

interface Dialer0

 description $FW_OUTSIDE$

 ip address negotiated

 ip access-group 101 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip inspect DEFAULT100 out

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname xxxxxx@gotadsl.co.uk

 ppp chap password 7 07043359485A1D0A01

 ppp pap sent-username xxxxx@gotadsl.co.uk password 7 10451B0C034416041A

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.0.0 255.255.255.0 192.168.254.250

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389

ip nat inside source static tcp 192.168.0.1 3389 interface Dialer0 3390

ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25

ip nat inside source static tcp 192.168.0.253 22 interface Dialer0 22

ip nat inside source static tcp 192.168.0.253 80 interface Dialer0 80

ip nat inside source static tcp 192.168.0.253 123 interface Dialer0 123

ip nat inside source static tcp 192.168.0.253 2222 interface Dialer0 2222

ip nat inside source static tcp 192.168.0.253 2224 interface Dialer0 2224

ip nat inside source static tcp 192.168.0.253 2226 interface Dialer0 2226

ip nat inside source static tcp 192.168.0.253 2228 interface Dialer0 2228

ip nat inside source static tcp 192.168.0.253 5666 interface Dialer0 5666

!

ip access-list extended sdm_vlan1_in

 remark SDM_ACL Category=1

 permit tcp host 192.168.0.1 any eq smtp

 deny   tcp any any eq smtp

 permit ip any any

 permit udp any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=3

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit tcp any any eq telnet

access-list 101 permit tcp any any eq 8080

access-list 101 permit tcp any any eq 5666

access-list 101 permit tcp any any eq 2228

access-list 101 permit tcp any any eq 2226

access-list 101 permit tcp any any eq 2224

access-list 101 permit tcp any any eq 2222

access-list 101 permit tcp any any eq 123

access-list 101 permit tcp any any eq 22

access-list 101 permit tcp any any eq www

access-list 101 permit tcp 195.90.96.0 0.0.1.255 any eq smtp

access-list 101 permit tcp host 62.3.194.3 any eq 3390

access-list 101 permit tcp host 62.3.194.3 any eq 3389

access-list 101 permit tcp host 81.149.56.6 any eq 3389

access-list 101 permit tcp host 213.123.130.137 any eq 3389

access-list 101 permit tcp 212.183.0.0 0.0.255.255 any eq 3389

access-list 101 permit tcp host 213.123.128.61 any eq 3389

access-list 101 permit tcp 81.134.3.0 0.0.0.255 any eq 3389

access-list 101 deny   ip 192.168.0.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

banner login ^CAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

 login local

 no modem enable

 transport output telnet

line aux 0

 login local

 transport output telnet

line vty 0 4

 privilege level 15

 login local

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Open in new window

0
Comment
Question by:nmxsupport
  • 11
  • 9
20 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Does it work using the IP address of your TFTP server instead of domain name?
0
 

Author Comment

by:nmxsupport
Comment Utility
Sorry I guess I should have mentioned but no it does not work using IP address either.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
What is the IP of the TFTP server?
0
 

Author Comment

by:nmxsupport
Comment Utility
62.3.194.34
0
 

Author Comment

by:nmxsupport
Comment Utility
Apologies that was wrong it is 62.3.194.35
0
 

Author Comment

by:nmxsupport
Comment Utility
Interestingly taking a remote site that does not work and using another computer - FTP works fine using IE but using command prompt FTP it hangs at the following,

ftp> dir
150 Opening ASCII mode data connection for /bin/ls.

whereas from a site that does not haev problems, the same command,

ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
550 .: Access is denied.
ftp>

Is this an issue with active/passive FTP and the router?
0
 

Author Comment

by:nmxsupport
Comment Utility
Further reading seems to inidicate that command line FTP is Active FTP
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
Since you are connecting to a TFTP server on the Internet, the access-list on WAN interface is the issue.

Try adding this:

ip inspect name DEFAULT100 tcp router-traffic
ip inspect name DEFAULT100 udp router-traffic
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 ftp
0
 

Author Comment

by:nmxsupport
Comment Utility
Hi I have done this but it didn't make any difference
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Okay.  Try this:

conf t
ip access-list ext 101
no deny   ip any any
permit ip host 62.3.194.35 any
deny ip any any

If that still doesn't work, can you TFTP to that IP from other routers?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Actually, try this:

conf t
ip access-list ext 100
permit ip 192.168.0.0 0.0.0.255 any
no permit ip any any

There are funky issues when you use "permit ip any any" in the NAT access-list.  This changes it to specify only the LAN subnet instead.
0
 

Author Comment

by:nmxsupport
Comment Utility
Is this as well as the config below?

ip inspect name DEFAULT100 tcp router-traffic
ip inspect name DEFAULT100 udp router-traffic
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 ftp
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
You can remove that if desired but it doesn't hurt to leave it.  Leave the FTP one for sure.

Add this though.

conf t
ip access-list ext 101
no deny   ip any any
permit ip host 62.3.194.35 any
deny ip any any

TFTP isn't very Firewall friendly and there isn't inspection for TFTP from the router itself which is what I was hoping for.
0
 

Author Comment

by:nmxsupport
Comment Utility
Bingo that seems to work!
I am finishing for the weekend now but will look again on Monday at this.
Thankyou
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Cool.  Sounds good.
0
 

Author Comment

by:nmxsupport
Comment Utility
Hi JFrederick29
I have been through this with around 5 or 6 different Cisco routers and the following command alone is enough to get this working
ip inspect name DEFAULT100 tcp router-traffic
What does this command do and why do you think it not work without this?
0
 

Author Comment

by:nmxsupport
Comment Utility
I am also raising a new call for routers with a config created using SDM 2.5 in which the patch above does not fix it - I think it's only fair to raise a new call.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
That command applies the IOS Firewall inspection to TCP traffic initiated from the router itself (not traffic passing through the router).  Are you sure this was the only thing required?  Did you remove the access-list entry?  The only reason I ask is because TFTP is UDP...
0
 

Author Comment

by:nmxsupport
Comment Utility
I actually used FTP in the end
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Ahh, okay, well that would explain why that worked.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now