RE: TFTP "inbound"...
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 21 Dec 2005 09:18:01 -0600
Hi William,
There is no TFTP Server protocol definition. If you have a route
relationship between source and destination, then you can use an Access
Rule.
Check my blog regarding TFTP and how wickedly stupid Syphco is for using
it for anything other than a point of derision.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> Sent: Wednesday, December 21, 2005 3:45 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TFTP "inbound"...
>
> http://www.ISAserver.org
>
>
> That's the funny thing Jim, the PF says it is allowed, but
> I'm not seeing
> the request getting to my TFTP server... My FW log says the following:
>
> <Published TFTP IP>, -, -, N, 12/20/2005, 16:32:41, fwsrv,
> <ISA Firewall>,
> -, -, -, 69, 1055266, 0, 40, 69, UDP, Bind, -, -, -, 20000, 0, pubTFTP
> Server, -, 525701, 4304420
>
> As far as I know, "20000" means that the connection was
> established... yet I
> don't see anything on my TFTP server. Do you believe that the
> logs show
> everything from a firewalling perspective is in order, and
> that I should
> tell the Network Admins to look at their TFTP server?
>
> Have I gone about this the right way by actually publishing
> the TFTP server?
>
>
> My PIX implicitly trusts any traffic that originates from my
> ISA, so there
> are no apparent issues between the 2.
>
> Thanks
> William R.
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: 21 December 2005 08:44 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TFTP "inbound"...
>
> http://www.ISAserver.org
>
> Your PF log says "allowed" - I don't see a problem here?
> Do you have any entries between the PIX and the ISA that say
> "blocked"?
> What does the FW log say about that traffic?
>
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> Sent: Tuesday, December 20, 2005 10:14 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] TFTP "inbound"...
>
> http://www.ISAserver.org
>
>
> Hi there
>
> I have a PIX firewall on my outside interface of the ISA firewall, and
> am
> trying to enable the PIX to TFTP "in" to a server inside my
> network, and
> fetch firmware updates etc.
>
> As I have it, TFTP works on TCP69, but I can't quite get this problem
> solved. Not quite sure if secondary connections are required etc.
>
> What I have done so far is to publish the TFTP server on my ISA
> Firewall,
> using a TFTP protocol definition that looks like this:
> Port: 69
> Protocol: UDP
> Direction: ReceiveSend
>
> What I can see is that when I enable the "Log Allow packets" on my
> Packet
> Filter service, I can then see the inbound request to my ISA Firewall,
> thus
> implying the request from the PIX firewall is definitely getting to my
> ISA.
> Here is the excerpt from my Packet Filter log:
> 12/20/2005, 16:28:06, <PIX IP>, <ISA External IP>, Udp, 12345, 69, -,
> ALLOWED, <ISA External IP>, -, -
>
> Can someone please offer some advice on how to resolve this?
>
> Thanks
> William R.
>
>
>
> ---------------------------------------------------------------------
> Everything in this e-mail and attachments relating to the official
> business of Columbus Stainless is proprietary to the company. It is
> confidential, legally privileged and protected by law. Columbus
> Stainless does not own and endorse any other content. Views and
> opinions are those of the sender unless clearly stated as being that
> of Columbus Stainless. The person addressed in the e-mail is the sole
> authorised recipient. Please notify the sender immediately if it has
> unintentionally reached you and do not read, disclose or use the
> content in any way. Whilst all reasonable steps are taken to ensure
> the accuracy and integrity of information and data transmitted
> electronically and to preserve the confidentiality thereof, no
> liability or responsibility whatsoever is accepted if information or
> data is, for whatever reason, corrupted or does not reach its intended
> destination.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> robertson.william@xxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ---------------------------------------------------------------------
> Everything in this e-mail and attachments relating to the official
> business of Columbus Stainless is proprietary to the company. It is
> confidential, legally privileged and protected by law. Columbus
> Stainless does not own and endorse any other content. Views and
> opinions are those of the sender unless clearly stated as being that
> of Columbus Stainless. The person addressed in the e-mail is the sole
> authorised recipient. Please notify the sender immediately if it has
> unintentionally reached you and do not read, disclose or use the
> content in any way. Whilst all reasonable steps are taken to ensure
> the accuracy and integrity of information and data transmitted
> electronically and to preserve the confidentiality thereof, no
> liability or responsibility whatsoever is accepted if information or
> data is, for whatever reason, corrupted or does not reach its intended
> destination.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
