nmxsupport
asked on
Cisco - cannot upload config to tftp server
Hi,
Can anyone identify why I cannot copy my running config to a TFTP server. The TFTP server works fine for a couple of cisco routers but for many others it does not work.
Thanks
cisco#copy running tftp:
Address or name of remote host []? www.abc.com
Destination filename [cisco-confg]?
.....
%Error opening tftp://www.abc.com/cisco-confg (Timed out)
Can anyone identify why I cannot copy my running config to a TFTP server. The TFTP server works fine for a couple of cisco routers but for many others it does not work.
Thanks
cisco#copy running tftp:
Address or name of remote host []? www.abc.com
Destination filename [cisco-confg]?
.....
%Error opening tftp://www.abc.com/cisco-confg (Timed out)
Building configuration...
Current configuration : 8097 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$3KY0$isZgjoD4vkjPXlOl1yuDn0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 192.168.0.1
ip name-server 4.2.2.1
ip name-server 4.2.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4292226846
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4292226846
revocation-check none
rsakeypair TP-self-signed-4292226846
!
!
crypto pki certificate chain TP-self-signed-4292226846
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323932 32323638 3436301E 170D3032 30333031 30303035
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32393232
32363834 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DCA4 CDE5BBF7 7E03F90B AA669B6F 93490992 50EF1C3E B4AA239D A01CF0F3
15136321 C3BB01C6 076C20C6 095162F7 C7CB3754 54F26D36 0D1CDFCC FF4C2C45
E5A3A1DE 70FA283D 37BDD6CF 91E19849 B7DFAB1F 79A3B8CF 441685A7 18872713
15AFB954 33DC1DCC D653CE10 F4952956 33EDA35D 74A22034 3A1E7A24 89BBD6C0
DC730203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14636973 636F2E79 6F757264 6F6D6169 6E2E636F 6D301F06
03551D23 04183016 8014C1EA 6F5A2A86 547E96A7 999F46E4 37475729 444E301D
0603551D 0E041604 14C1EA6F 5A2A8654 7E96A799 9F46E437 47572944 4E300D06
092A8648 86F70D01 01040500 03818100 925ED82F C4CBF5A3 E4370CCA 3A8D8C63
78875CCA B30BFE95 3701816B 9B8BFE45 B131125E 1AE8879F BEC29FC4 BD7FFC54
64D0D2C3 3BC2FC3C 1C206858 248F97A4 2CD928E3 F91E7907 68BFB8D7 20758F06
7980DE3B C124792A F930306F 1D4680AE E912F59A 3B355365 4B9225C4 6FBD7A1A
82651F9E 5CAF0964 D19ECFA6 A2D82E52
quit
username ciscoadmin privilege 15 secret 5 $1$4QXV$WqOh9PBN3G/FHVKabdAO9/
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.250 255.255.255.0
ip access-group sdm_vlan1_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxx@gotadsl.co.uk
ppp chap password 7 07043359485A1D0A01
ppp pap sent-username xxxxx@gotadsl.co.uk password 7 10451B0C034416041A
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 192.168.254.250
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.0.1 3389 interface Dialer0 3390
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.253 22 interface Dialer0 22
ip nat inside source static tcp 192.168.0.253 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.253 123 interface Dialer0 123
ip nat inside source static tcp 192.168.0.253 2222 interface Dialer0 2222
ip nat inside source static tcp 192.168.0.253 2224 interface Dialer0 2224
ip nat inside source static tcp 192.168.0.253 2226 interface Dialer0 2226
ip nat inside source static tcp 192.168.0.253 2228 interface Dialer0 2228
ip nat inside source static tcp 192.168.0.253 5666 interface Dialer0 5666
!
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
permit tcp host 192.168.0.1 any eq smtp
deny tcp any any eq smtp
permit ip any any
permit udp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=3
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 8080
access-list 101 permit tcp any any eq 5666
access-list 101 permit tcp any any eq 2228
access-list 101 permit tcp any any eq 2226
access-list 101 permit tcp any any eq 2224
access-list 101 permit tcp any any eq 2222
access-list 101 permit tcp any any eq 123
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq www
access-list 101 permit tcp 195.90.96.0 0.0.1.255 any eq smtp
access-list 101 permit tcp host 62.3.194.3 any eq 3390
access-list 101 permit tcp host 62.3.194.3 any eq 3389
access-list 101 permit tcp host 81.149.56.6 any eq 3389
access-list 101 permit tcp host 213.123.130.137 any eq 3389
access-list 101 permit tcp 212.183.0.0 0.0.255.255 any eq 3389
access-list 101 permit tcp host 213.123.128.61 any eq 3389
access-list 101 permit tcp 81.134.3.0 0.0.0.255 any eq 3389
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
JFrederick29
Does it work using the IP address of your TFTP server instead of domain name?
ASKER
Sorry I guess I should have mentioned but no it does not work using IP address either.
What is the IP of the TFTP server?
ASKER
62.3.194.34
ASKER
Apologies that was wrong it is 62.3.194.35
ASKER
Interestingly taking a remote site that does not work and using another computer - FTP works fine using IE but using command prompt FTP it hangs at the following,
ftp> dir
150 Opening ASCII mode data connection for /bin/ls.
whereas from a site that does not haev problems, the same command,
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
550 .: Access is denied.
ftp>
Is this an issue with active/passive FTP and the router?
ftp> dir
150 Opening ASCII mode data connection for /bin/ls.
whereas from a site that does not haev problems, the same command,
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
550 .: Access is denied.
ftp>
Is this an issue with active/passive FTP and the router?
ASKER
Further reading seems to inidicate that command line FTP is Active FTP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi I have done this but it didn't make any difference
Okay. Try this:
conf t
ip access-list ext 101
no deny ip any any
permit ip host 62.3.194.35 any
deny ip any any
If that still doesn't work, can you TFTP to that IP from other routers?
conf t
ip access-list ext 101
no deny ip any any
permit ip host 62.3.194.35 any
deny ip any any
If that still doesn't work, can you TFTP to that IP from other routers?
Actually, try this:
conf t
ip access-list ext 100
permit ip 192.168.0.0 0.0.0.255 any
no permit ip any any
There are funky issues when you use "permit ip any any" in the NAT access-list. This changes it to specify only the LAN subnet instead.
conf t
ip access-list ext 100
permit ip 192.168.0.0 0.0.0.255 any
no permit ip any any
There are funky issues when you use "permit ip any any" in the NAT access-list. This changes it to specify only the LAN subnet instead.
ASKER
Is this as well as the config below?
ip inspect name DEFAULT100 tcp router-traffic
ip inspect name DEFAULT100 udp router-traffic
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 tcp router-traffic
ip inspect name DEFAULT100 udp router-traffic
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 ftp
You can remove that if desired but it doesn't hurt to leave it. Leave the FTP one for sure.
Add this though.
conf t
ip access-list ext 101
no deny ip any any
permit ip host 62.3.194.35 any
deny ip any any
TFTP isn't very Firewall friendly and there isn't inspection for TFTP from the router itself which is what I was hoping for.
Add this though.
conf t
ip access-list ext 101
no deny ip any any
permit ip host 62.3.194.35 any
deny ip any any
TFTP isn't very Firewall friendly and there isn't inspection for TFTP from the router itself which is what I was hoping for.
ASKER
Bingo that seems to work!
I am finishing for the weekend now but will look again on Monday at this.
Thankyou
I am finishing for the weekend now but will look again on Monday at this.
Thankyou
Cool. Sounds good.
ASKER
Hi JFrederick29
I have been through this with around 5 or 6 different Cisco routers and the following command alone is enough to get this working
ip inspect name DEFAULT100 tcp router-traffic
What does this command do and why do you think it not work without this?
I have been through this with around 5 or 6 different Cisco routers and the following command alone is enough to get this working
ip inspect name DEFAULT100 tcp router-traffic
What does this command do and why do you think it not work without this?
ASKER
I am also raising a new call for routers with a config created using SDM 2.5 in which the patch above does not fix it - I think it's only fair to raise a new call.
That command applies the IOS Firewall inspection to TCP traffic initiated from the router itself (not traffic passing through the router). Are you sure this was the only thing required? Did you remove the access-list entry? The only reason I ask is because TFTP is UDP...
ASKER
I actually used FTP in the end
Ahh, okay, well that would explain why that worked.