Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
TFTP publish through to internal server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
TFTP publish through to internal server - 13.Feb.2003 7:00:00 AM
|
|
|
AHIT
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
|
Greetings to all from down under, !["[Cool]"](/image/smiles/cool.gif "\"\"")
I have a need to copy some of my edge-router configs via TFTP and I'm after a little help.
I found an older article here on message boards, but unfortuantely there was no actual solution.
I've had a shot myself to see how I would go but not had any luck yet. When looking at the IPPD logs it shows that the router (CIsco) is attempting to ping the ISA outside IP first as the log shows a "ICMP, 8, 0, -, BLOCKED"
I've tried adding some packet filters to allow ping response as well as TFTP (Port 69 TCP&UDP) in/out but I'm not having any luck yet...
Before I screw around with this much more... has anyone else does this so I don't have to re-invent the wheel...?
My next step will then be to accept SNMP alerts/traps from a destiantion set containing those routers and forward those to an internal box too....
|
|
|
|
RE: TFTP publish through to internal server - 13.Feb.2003 7:03:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tolk,
Where is the TFTP client?
Where is the ISA Server?
Where is the TFTP server?
Thanks!
Tom
|
|
|
|
RE: TFTP publish through to internal server - 13.Feb.2003 7:08:00 AM
|
|
|
AHIT
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
|
Tom! (thanks for the amazingly quick reponse...!)
Quicky diagram follows. Sorry I neglected to post this info before:
Internet -- Cisco Border router (public IP) trying to use 'copy run tftp' -- ISA PublicIP/Private IP -- Internal TFTP Server.
As mentioned above, once I've tackled this I'll then do the same with trying toget SNMP notifications published from outside thru to an internal box.
|
|
|
|
|
RE: TFTP publish through to internal server - 13.Feb.2003 7:25:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tolk,
What you'll need to do is use a Server Publishing rule to publish the TFTP server. Now, what's interesting is that TFTP is a UDP based protocol that uses secondary connections. I don't use TFTP much, so I've not thought about the protocol much, but I guess is shouldn't suprize me, since FTP also uses secondary connections.
And there's the rub. In order to publish servers running complex protocols, you'll either need an applications filter or install the Firewall client on the server and then configure the wspcfg.ini file. Check out my article on publish an FTP server on an alternate port for such a config.
HTH,
Tom
|
|
|
|
|
RE: TFTP publish through to internal server - 13.Feb.2003 7:49:00 AM
|
|
|
AHIT
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
|
Hohum.. Getting closer but no cupie doll.
First, I created a packet filter fro ICMP ping query to the specific IP of that router. Sure enough. I can now ping from the router to the ISA server extenal IP. No more entries there is the ippd log.
Next I've created a protocol definition Allowing UDP port 69 in/out and a 2nd one allowing TCP port 69 in and a 3rd allowing TCP 69 out.
Finalling I've got server publishing rules for both the TCP & UDP filters I create before with the outside listening IP and internal IP of the actual server.
Now, when I try to TFTP from the router on the outside, it seems to try, builds the configuration and then eventually comes up "Writing blahblfilename.txt ... [Failed]"
When I take a look at the console of the TFTP server on my 'inside host', I can see "Receiving blahblahfile.txt from external.rotuer.ip.address in binary mode" and then a few seconds later "Failed ( Timeout Error )".
There is a file saved by the TFTP Server (BTW, I'm using Cisco's TFTP Server v1.1) with the correct name but it is zero bytes in size.
I tried altering my packet filters to have secondary connections from port 0 thru to 65535 allowed but that seems to break things even more as TFTPing from the router then shows "TFTP: Error code 2 received - File cannot be created" and then all sorts of garbage. At this time the TFTP server shows that is has started to receive the file with the correct name, but it just appears to ahng there.
As I said above.. I'm close but no cupie doll just yet...
That'll do for today's testing.. I'll have another crack tomorrow.
|
|
|
|
|
RE: TFTP publish through to internal server - 13.Feb.2003 9:42:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi tolk,
maybe it is a better idea to find out first how the TFTP protocol exactly works. Place the TFTP server outside of ISA and install on it a good Network Monitor. For a very good and free one, check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000062 .
HTH,
Stefaan
|
|
|
|
|
RE: TFTP publish through to internal server - 17.Feb.2003 6:05:00 AM
|
|
|
AHIT
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
|
Has anyone had any joy publishing TFTP servers?
'cause I'm not having any luck!
I've tried it where the Server being published is a SecureNAT client. I've tried it as a firewall client. I've tried it as both. I've tried only port's 69 on TCP & UDP open as well as 69TCP/UDP open with ANY secondary ports.
I've read the appropriate RFC document (RFC1350) as well as the multitide of documents which are updates to it.
It appears to be the dynamically assigned ports for secodnary communicaton that break things.
The write request" along with the filename is amde, teh server receives it and tries to respond back via UDP to the same port the request came from. Seemingly easy enough but that response never seems to make it back.
The write request is made twice more and then eventually gives up..
Traffic flow
-------
random source port [A] - dest.port 69 (Client to Server)
Random port [B] -> Port [A] (Server to client response)
and then traffic keeps flowing A <--> B until completed.
I know this is really open but does anyone have any suggestions? Has anyone succeeded at doing this?
[ February 17, 2003, 06:06 AM: Message edited by: tolk ]
|
|
|
|
|
RE: TFTP publish through to internal server - 18.Feb.2003 3:03:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tolk,
Use the firewall client and the wspcfg.ini file config like what we used to have to do with Proxy 2.0. Use the FTP publishing as an example, just change the ports to match what you've found for TFTP.
HTH,
Tom
|
|
|
|
|
RE: TFTP publish through to internal server - 14.May2003 6:34:00 PM
|
|
|
robinminto
Posts: 3
Joined: 14.May2003
Status: offline
|
So Tolk, how did you get on?
I've been looking at a very similar problem for what seems like days. I've only just found the seperate search for the forums!
Tom, before I go and install the firewall client on the server, is it going to cause problems? Quoting from yesterday's expert chat
"jbaud3 : No firewall client installed on any server... learned that the hard way"
Robin
|
|
|
|
|
RE: TFTP publish through to internal server - 17.May2003 10:38:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Robin,
I can't say this often enough:
NEVER TRY NEW CONFIGURATIONS ON THE PRODUCTION NETWORK WITHOUT TESTING THEM IN THE LAB
If it works in the lab, chances are it will work on the production network. If it doesn't work in the lab, then it definitely will not work on the production network.
HTH,
Tom
|
|
|
|
|
RE: TFTP publish through to internal server - 19.May2003 1:34:00 AM
|
|
|
AHIT
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
|
G'day Robin,
No.. I ended up giving up...
I probably could have got it.. using as Tom suggested the msplcnt file...
The machine however that hosts our TFTP service performs a bunch of any functions (Largish SQL server, polling of store netowrk sales) and is mission critical in it's use. I just didn't want to screw with it too much and given that this machine it also highly documented for disaster recovery at a HP warm site, didn't want to complicate matters for recovery. (In a DR recovery the shits already hit the fan - why make it harder!)
In the end I decided that so long as I can telnet to the external device a:
sho run - to see/save current config
or
conf m
paste of congif
copy mem run / reboot
would suffice
Once I've copied a config, I just save it to the TFTP server's directory anyway so they're all kept together.
|
|
|
|
RE: TFTP publish through to internal server - 23.May2003 11:00:00 AM
|
|
|
robinminto
Posts: 3
Joined: 14.May2003
Status: offline
|
Tom,
I totally agree. Perhaps I should have said
"before I spend days building and testing an identical server plus the firewall client, what experiences have others had with the firewall client?"
I'm assuming that jbaud3 encountered big problems,
"jbaud3 : No firewall client installed on any server... learned that the hard way"
but what were they? I'd like to learn from others' experience.
Robin
quote:
Originally posted by tshinder:
Hi Robin,
I can't say this often enough:
NEVER TRY NEW CONFIGURATIONS ON THE PRODUCTION NETWORK WITHOUT TESTING THEM IN THE LAB
If it works in the lab, chances are it will work on the production network. If it doesn't work in the lab, then it definitely will not work on the production network.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
