Firewall Wizards mailing list archives
Re: TFTP over vpns
From: "Mathew Want" <mathew.want () ac3 com au>
Date: Mon, 19 Feb 2007 09:49:17 +1100
Craig, I had an instance last week where we were trying to block the reply traffic from a TFTP server with an ACL (the joys of an exercise in a Cisco course). What the instructor found was that in one of the RFC's (or similar tech doc) that some implementations of TFTP servers, although contacted on UDP/69, answer on udp/XX69. This would get dropped by a firewall tracking the UDP traffic as it would appear as a new connection rather than a reply to an existing one. Hope this helps. M@ -- "Some things are eternal by nature, others by consequence" -----Original Message----- From: firewall-wizards-bounces () listserv cybertrust com [mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Craig Van Tassle Sent: Thursday, 15 February 2007 1:45 AM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] TFTP over vpns -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have tried that. The reason we are using TFTP is for our VOIP phones to pull down the config setting upon reboot. Over all I prefer SCP or SFTP but in this case its not avaliable. Akash Rao wrote:
Craig, It is tough to know what might be wrong without checking the logs of the firewalls. I hope you have tried to telnet to the tftp server on port 69 (default port for tftp) from a client in remote lan and confirmed that the tftp server is running. Now, try the same test with a client in "my lan" and confirm the same. On a seperate note, i would suggest using scp or sftp rather than tftp to transfer files. Since these are more secure. Cheers, Akash On 2/10/07, * Craig Van Tassle* <craig () codestorm org <mailto:craig () codestorm org>> wrote: I have a couple of remote sites that are using Cisco firewalls for Lan-Lan vpn. I have all the proper rules for so I can remote connect to servers on the other side, and ping works fine. However I'm trying to use something like tftp over from my lan to the remote lan. It does not seem to work. Any ideas? Thanks Craig
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com <mailto:firewall-wizards () listserv icsalabs com> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------------------------------------------------
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF0yCCAOTIJ89W4sIRAv5HAJ4rZwHnKZsacxQuCsnGkfVvKWBqQACgkFOj LHGsDrR0Fip1H3E1Ima4SIk= =7MNZ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- TFTP over vpns Craig Van Tassle (Feb 12)
- Re: TFTP over vpns Clayton Scott Kern (Feb 14)
- Re: TFTP over vpns Akash Rao (Feb 14)
- Re: TFTP over vpns Craig Van Tassle (Feb 14)
- Re: TFTP over vpns Mathew Want (Feb 20)
- Re: TFTP over vpns Carson Gaspar (Feb 22)
- Re: TFTP over vpns Craig Van Tassle (Feb 14)
- Re: TFTP over vpns James (Feb 16)
- Re: TFTP over vpns ArkanoiD (Feb 16)
- <Possible follow-ups>
- Re: TFTP over vpns Jean-Denis Gorin (Feb 20)