Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > tftp to srvr behind pix: use nat or no-nat?

Reply
Thread Tools

tftp to srvr behind pix: use nat or no-nat?

 
 
Jose
Guest
Posts: n/a
 
      10-24-2004
I am trying to tftp my r2-config to a server at 10.10.10.10 behind a
pix.

r2 is on the subnet of the outside interface of the pix.

Option #1: I create a static-nat of 200.200.200.200 for the
10.10.10.10 address, together with the required inbound acl. The tftp
file will be named tftp://200.200.200.200/r2-config and the
tftp-server won't recognize it.

r2#copy run tftp
Address or name of remote host []? 200.200.200.200
Destination filename [r2-confg]?
......
%Error opening tftp://200.200.200.200/r2-confg (Timed out)

Option #2: I configured a no-nat address on the pix for the
10.10.10.10 address, together with the required inbound acl, and also
configured a default route to the pix on r2.

r2#copy run tftp
Address or name of remote host []? 10.10.10.10
Destination filename [r2-confg]?
......
%Error opening tftp://10.0.10.10/r2-confg (Timed out)

While neither of these options worked actually, which way is
preferred?
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-24-2004
In article <(E-Mail Removed) >,
Jose <(E-Mail Removed)> wrote:
:I am trying to tftp my r2-config to a server at 10.10.10.10 behind a
ix.

:r2 is on the subnet of the outside interface of the pix.

:Option #1: I create a static-nat of 200.200.200.200 for the
:10.10.10.10 address, together with the required inbound acl. The tftp
:file will be named tftp://200.200.200.200/r2-config and the
:tftp-server won't recognize it.

You might be having a proxy arp difficulty. Is your PIX configure with
sysopt noproxyarp outside ?


:Option #2: I configured a no-nat address on the pix for the
:10.10.10.10 address, together with the required inbound acl, and also
:configured a default route to the pix on r2.

If you used nat 0 access-list then that does not proxy arp.
Still, if you routed directly to the PIX, one would have expected
it to work.

Are you using a fairly recently PIX release? If so, then create an
access-list matching tftp traffic, and use the 'capture' command to
snag the packets as you make the attempt.
--
"WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-24-2004
In article <(E-Mail Removed) >,
Jose <(E-Mail Removed)> wrote:
:I am trying to tftp my r2-config to a server at 10.10.10.10 behind a
ix.

I know your errors say "timed-out", but are you creating the
destination file before you attempt the tftp? tftp usually does
not allow people to create new files; usually you have to provide
an existing file with write permissions for whatever userid the tftp
daemon runs under.
--
I predict that you will not trust this prediction.
 
Reply With Quote
 
Jose
Guest
Posts: n/a
 
      10-24-2004
I did not do a" sysopt noproxy outside" - yet.
Since the tftp-server is on the inside, should I configure "sysopt
noproxy inside" also?

If I turn off proxy arp, will I have to statically enter arp for all
natted addresses?

I'm wondering if I could locate those pesky proxy arps in the arp
table if I do "show arp" and look for the pix's own mac-addresses
associated with other IP's.

The routers that are on the same subnet as the tftp-server do not have
any problem sending their config files. The tftp-server creates the
new file as it is sent, i.e, tftp://10.0.10.10/r1-confg. But would
it create a file named tftp://200.200.200.200/r2-config? I'm afraid
not, that's why I think I will pursue the no-nat option.

The Pix is 6.2. I did a "clear arp" and a "clear xlate", but I did not
reload the PIX. I don't have access to these machines until Tuesday
when all will be reloaded. That by itself could do the trick. If
not, I'll do the captures you suggested.

Thanks so much for helping me think this through.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
booting router from tftp: image is stored within a sub-dir in tftp root Sharad Cisco 0 02-13-2007 11:31 AM
Attn: NAT Experts - 2611XM and NAT pool JCVD Cisco 1 02-13-2004 12:30 PM
Is anybody who knows how to use DHCP, TFTP ... servers out of my uBR7114e? Oscar Cisco 0 01-08-2004 10:26 AM
NAT or Not to NAT; how to do an Internet connection for a 100-PC company ? Al Dykes Cisco 8 10-29-2003 12:34 AM
CDO with EXCNG SRVR, Mails deliverd only in the organisation Aksahy ASP General 1 08-08-2003 07:26 AM



Advertisments