«

I am trying to tftp my r2-config to a server at 10.10.10.10 behind a
pix.

r2 is on the subnet of the outside interface of the pix.

Option #1: I create a static-nat of 200.200.200.200 for the
10.10.10.10 address, together with the required inbound acl. The tftp
file will be named tftp://200.200.200.200/r2-config and the
tftp-server won't recognize it.

r2#copy run tftp
Address or name of remote host []? 200.200.200.200
Destination filename [r2-confg]?
......
%Error opening tftp://200.200.200.200/r2-confg (Timed out)

Option #2: I configured a no-nat address on the pix for the
10.10.10.10 address, together with the required inbound acl, and also
configured a default route to the pix on r2.

r2#copy run tftp
Address or name of remote host []? 10.10.10.10
Destination filename [r2-confg]?
......
%Error opening tftp://10.0.10.10/r2-confg (Timed out)

While neither of these options worked actually, which way is
preferred?

In article < >,
Jose <> wrote:
:I am trying to tftp my r2-config to a server at 10.10.10.10 behind a
ix.

:r2 is on the subnet of the outside interface of the pix.

:Option #1: I create a static-nat of 200.200.200.200 for the
:10.10.10.10 address, together with the required inbound acl. The tftp
:file will be named tftp://200.200.200.200/r2-config and the
:tftp-server won't recognize it.

You might be having a proxy arp difficulty. Is your PIX configure with
sysopt noproxyarp outside ?


:Option #2: I configured a no-nat address on the pix for the
:10.10.10.10 address, together with the required inbound acl, and also
:configured a default route to the pix on r2.

If you used nat 0 access-list then that does not proxy arp.
Still, if you routed directly to the PIX, one would have expected
it to work.

Are you using a fairly recently PIX release? If so, then create an
access-list matching tftp traffic, and use the 'capture' command to
snag the packets as you make the attempt.
--
"WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)

In article < >,
Jose <> wrote:
:I am trying to tftp my r2-config to a server at 10.10.10.10 behind a
ix.

I know your errors say "timed-out", but are you creating the
destination file before you attempt the tftp? tftp usually does
not allow people to create new files; usually you have to provide
an existing file with write permissions for whatever userid the tftp
daemon runs under.
--
I predict that you will not trust this prediction.

I did not do a" sysopt noproxy outside" - yet.
Since the tftp-server is on the inside, should I configure "sysopt
noproxy inside" also?

If I turn off proxy arp, will I have to statically enter arp for all
natted addresses?

I'm wondering if I could locate those pesky proxy arps in the arp
table if I do "show arp" and look for the pix's own mac-addresses
associated with other IP's.

The routers that are on the same subnet as the tftp-server do not have
any problem sending their config files. The tftp-server creates the
new file as it is sent, i.e, tftp://10.0.10.10/r1-confg. But would
it create a file named tftp://200.200.200.200/r2-config? I'm afraid
not, that's why I think I will pursue the no-nat option.

The Pix is 6.2. I did a "clear arp" and a "clear xlate", but I did not
reload the PIX. I don't have access to these machines until Tuesday
when all will be reloaded. That by itself could do the trick. If
not, I'll do the captures you suggested.

Thanks so much for helping me think this through.