tftp to srvr behind pix: use nat or no-nat?

Discussion in 'Cisco' started by Jose, Oct 24, 2004.

  1. Jose

    Jose Guest

    I am trying to tftp my r2-config to a server at 10.10.10.10 behind a
    pix.

    r2 is on the subnet of the outside interface of the pix.

    Option #1: I create a static-nat of 200.200.200.200 for the
    10.10.10.10 address, together with the required inbound acl. The tftp
    file will be named tftp://200.200.200.200/r2-config and the
    tftp-server won't recognize it.

    r2#copy run tftp
    Address or name of remote host []? 200.200.200.200
    Destination filename [r2-confg]?
    ......
    %Error opening tftp://200.200.200.200/r2-confg (Timed out)

    Option #2: I configured a no-nat address on the pix for the
    10.10.10.10 address, together with the required inbound acl, and also
    configured a default route to the pix on r2.

    r2#copy run tftp
    Address or name of remote host []? 10.10.10.10
    Destination filename [r2-confg]?
    ......
    %Error opening tftp://10.0.10.10/r2-confg (Timed out)

    While neither of these options worked actually, which way is
    preferred?
    Jose, Oct 24, 2004
    #1
    1. Advertising

  2. In article <>,
    Jose <> wrote:
    :I am trying to tftp my r2-config to a server at 10.10.10.10 behind a
    :pix.

    :r2 is on the subnet of the outside interface of the pix.

    :Option #1: I create a static-nat of 200.200.200.200 for the
    :10.10.10.10 address, together with the required inbound acl. The tftp
    :file will be named tftp://200.200.200.200/r2-config and the
    :tftp-server won't recognize it.

    You might be having a proxy arp difficulty. Is your PIX configure with
    sysopt noproxyarp outside ?


    :Option #2: I configured a no-nat address on the pix for the
    :10.10.10.10 address, together with the required inbound acl, and also
    :configured a default route to the pix on r2.

    If you used nat 0 access-list then that does not proxy arp.
    Still, if you routed directly to the PIX, one would have expected
    it to work.

    Are you using a fairly recently PIX release? If so, then create an
    access-list matching tftp traffic, and use the 'capture' command to
    snag the packets as you make the attempt.
    --
    "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
    Walter Roberson, Oct 24, 2004
    #2
    1. Advertising

  3. In article <>,
    Jose <> wrote:
    :I am trying to tftp my r2-config to a server at 10.10.10.10 behind a
    :pix.

    I know your errors say "timed-out", but are you creating the
    destination file before you attempt the tftp? tftp usually does
    not allow people to create new files; usually you have to provide
    an existing file with write permissions for whatever userid the tftp
    daemon runs under.
    --
    I predict that you will not trust this prediction.
    Walter Roberson, Oct 24, 2004
    #3
  4. Jose

    Jose Guest

    I did not do a" sysopt noproxy outside" - yet.
    Since the tftp-server is on the inside, should I configure "sysopt
    noproxy inside" also?

    If I turn off proxy arp, will I have to statically enter arp for all
    natted addresses?

    I'm wondering if I could locate those pesky proxy arps in the arp
    table if I do "show arp" and look for the pix's own mac-addresses
    associated with other IP's.

    The routers that are on the same subnet as the tftp-server do not have
    any problem sending their config files. The tftp-server creates the
    new file as it is sent, i.e, tftp://10.0.10.10/r1-confg. But would
    it create a file named tftp://200.200.200.200/r2-config? I'm afraid
    not, that's why I think I will pursue the no-nat option.

    The Pix is 6.2. I did a "clear arp" and a "clear xlate", but I did not
    reload the PIX. I don't have access to these machines until Tuesday
    when all will be reloaded. That by itself could do the trick. If
    not, I'll do the captures you suggested.

    Thanks so much for helping me think this through.
    Jose, Oct 24, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Gorsuch

    Pix-to-Pix VPN - BOTH BOXES BEHIND NAT!!!

    Michael Gorsuch, Oct 23, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,647
    Walter Roberson
    Oct 24, 2003
  2. Corbin O'Reilly
    Replies:
    2
    Views:
    3,170
    Corbin O'Reilly
    May 26, 2004
  3. Blouz
    Replies:
    2
    Views:
    2,267
  4. JPElectron
    Replies:
    7
    Views:
    963
    Walter Roberson
    Nov 16, 2006
  5. Sharad
    Replies:
    0
    Views:
    640
    Sharad
    Feb 13, 2007
Loading...

Share This Page