Re: [fw-wiz] TFTP over vpns



Craig,

I had an instance last week where we were trying to block the reply traffic
from a TFTP server with an ACL (the joys of an exercise in a Cisco course).
What the instructor found was that in one of the RFC's (or similar tech doc)
that some implementations of TFTP servers, although contacted on UDP/69,
answer on udp/XX69. This would get dropped by a firewall tracking the UDP
traffic as it would appear as a new connection rather than a reply to an
existing one.

Hope this helps.

M@
--
"Some things are eternal by nature,
others by consequence"

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Craig
Van Tassle
Sent: Thursday, 15 February 2007 1:45 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] TFTP over vpns

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have tried that. The reason we are using TFTP is for our VOIP phones to
pull
down the config setting upon reboot.

Over all I prefer SCP or SFTP but in this case its not avaliable.

Akash Rao wrote:
Craig,

It is tough to know what might be wrong without checking the logs of the
firewalls. I hope you have tried to telnet to the tftp server on port 69
(default port for tftp) from a client in remote lan and confirmed that
the tftp server is running. Now, try the same test with a client in "my
lan" and confirm the same.

On a seperate note, i would suggest using scp or sftp rather than tftp
to transfer files. Since these are more secure.

Cheers,

Akash

On 2/10/07, * Craig Van Tassle* <craig@xxxxxxxxxxxxx
<mailto:craig@xxxxxxxxxxxxx>> wrote:

I have a couple of remote sites that are using Cisco firewalls for
Lan-Lan vpn.
I have all the proper rules for so I can remote connect to servers
on the other
side, and ping works fine. However I'm trying to use something like
tftp over
from my lan to the remote lan. It does not seem to work. Any ideas?

Thanks
Craig

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
<mailto:firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



------------------------------------------------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF0yCCAOTIJ89W4sIRAv5HAJ4rZwHnKZsacxQuCsnGkfVvKWBqQACgkFOj
LHGsDrR0Fip1H3E1Ima4SIk=
=7MNZ
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards