tftp and pix error

trebek · 04-29-2006, 11:58 AM

Hi. I am attempting to copy the running-config on a pix to my machine using tftp. I have configured my computer to use tftp as follows:

# mkdir /tftpboot
# chown nobody:nobody /tftpboot

service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s -c /tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}

/etc/rc.d/init.d/xinetd reload

The command i use to copy the running config is:

copy running-config tftp://x.x.x.x/running-config.cfg

I get either of this two errors:
1. Only absolute filenames allowed
2. Permission denied

How can i get this fixed? I need to make a backup of the pix's configuration. Thanks in advanced for all the help.

scowles · 04-30-2006, 07:41 AM

FWIW: I have never been able to "write/put" to the linux based tftpd, just read. Although, when using the Solarwinds tftpd server on my XP box, I can read/write files without any problems from my cisco routers/switches. If you ever get tftpd writes working, I would like to know the solution. To me, this is a permissions based problem on the directories, but I have even done chmod 777 on /tmp and /tftpboot directories during my tests, but still no cigar.

If you need to backup your cisco device, I would suggest using the tftp client on your linux box and pull/get the startup-config from your cisco device. Thats what I ended up doing at my end (I admin a little over 100 cisco routers/switches). I simply wrote a shell script that loops for each cisco device listed in a variable. Then I added this script to the daily cron job.

scowles · 04-30-2006, 08:37 AM

Oops! Missed the part about the PIX. So my previous reply is probably useless.

In order for me to backup my PIX's, I currently have to use the solarwinds tftp server on my XP box (I know!). I added this step as part of my change control procedures, since I cannot pull the pix startup-config using the shell script that I use for my routers/switches.

FWIW: The following is a copy/paste of my manual process of backing up a PIX device using the solarwinds tftp server:

Code:

pix-idc# sh ver

Cisco PIX Security Appliance Software Version 7.0(2)
Device Manager Version 5.0(1)

Compiled on Fri 15-Jul-05 22:55 by builders
System image file is "flash:/pix-702.bin"
Config file at boot was "startup-config"
....
pix-idc# copy startup-config tftp:

Address or name of remote host []? 192.168.32.10

Destination filename [startup-config]?
!!!!!!!
28544 bytes copied in 2.600 secs (14272 bytes/sec)
pix-idc#

Again, if you ever get the linux tftpd server working for writes, I would be interested in the solution. It would be nice to backup the PIX's directly to my linux box where all other cisco device startup-configs are stored.

trebek · 05-01-2006, 03:19 PM

Oh darn, i guess i will have to back it up through windows. But i will not give up. And yes, i have given even chmod 777 and disabled the firewall on linux, to no avail. I followed every step on cisco related material, and nothing seems to work.

I guess i will keep on trying.

Csargent1 · 05-18-2006, 08:49 AM

I ran across this a while back. The problem I had was my TFTP server was configured to only transmit files by default.

spcsys · 05-28-2006, 09:47 PM

Using debian and the regular NSA TFTPD downloaded with apt-get install tftpd, the configuration for TFTPd is held in /etc/inetd.conf. I am not sure where the read or read-write is defined for the running server but the following may help you:

To write a file to the TFPTd server, the file must already exist and have world writable attribute. This where you can control read or read write permissions also...

So:

touch /path/to/tftp/filename.bin
chmod a+rw /path/to/tftp/filename.bin

you mentioned setting the permission on the directory so i assume you would have mentioned the "existing" file's permissions also had you already created it. Hope this helps.

trebek · 12-08-2006, 11:00 AM

Sorry i haven't replied in a while. I am doing it again. I will not stop now until i get it done. I will be trying all these things you have written down here; i will also post back whatever i find, and hopefully, the way to get tftp working with the pix.

I'll keep you guys posted.

Ok, i performed the actions you suggested here. Installed the tftp server, configured /etc/xined.d/tftp, created the file /tftpboot/pix.cfg and gave a+rw permissions to it. I also went into System Settings > Security Level > SELinux and checked the box under 'SELinux Service Protection' that says 'Disable SELinux protection for tftpd daemon'.

I still get:

Code:

Cryptochecksum: 1f7b7f24 2ded26d5 037f7dc6 e11f73ab
!!!!!!!!!!
%Error writing tftp://192.168.220.214//pix.cfg;int=inside (Permission denied)

trebek · 12-08-2006, 11:45 AM

Quote:

Originally Posted by Csargent1

I ran across this a while back. The problem I had was my TFTP server was configured to only transmit files by default.

How did you tell it to not only transmit but receive as well?

acid_kewpie · 12-09-2006, 04:41 PM

looks like the -c option would come in there, to allow brand new files to be created.

ARC1450 · 12-09-2006, 08:52 PM

Quote:

Originally Posted by acid_kewpie

looks like the -c option would come in there, to allow brand new files to be created.

I had the same issue, and that's what I had to do. Poking around in the man files I figured that out.

trebek · 12-10-2006, 12:32 AM

I am not at work right now. But i do believe that the xinetd.conf file does have the -c option along with a -s option, if i remember correctly. I'll check it up as soon as i get back to work.

Thanks, i'll be posting if it works and if it doesn't. Wish me luck and thanks a lot.

trebek · 12-11-2006, 04:37 PM

The /etc/xinetd.d/tftp file i wrote looks like this:

Code:

# default: off
# description: The tftp server serves files using the trivial file transfer \
#       protocol.  The tftp protocol is often used to boot diskless \
#       workstations, download configuration files to network-aware printers, \
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -c -s /tftpboot
        disable                 = no
        per_source              = 11
        cps                     = 100 2
}

Notice that i have the -c option in server_args to make sure i have write privileges. I don't know what else to do.

chort · 12-11-2006, 05:12 PM

Just for kicks, try leaving off the -s so it doesn't expect a relative path? The -s is primarily for compatibility with Sun boot ROMs. It's worth a shot.

trebek · 12-11-2006, 05:17 PM

Code:

Source filename [running-config]?

Address or name of remote host [192.168.220.214]?

Destination filename [pix.cfg;int=inside]?
Cryptochecksum: 1cad74ed d34a66f8 c96a4a09 56890a74
!!!!!!!!!!
%Error writing tftp://192.168.220.214//pix.cfg;int=inside (Forbidden directory)

Dude, this is a different error message; now i have 'forbidden directory'. It did apparently find something deeper than access to the machine itself. Now the problem could be directory permissions. I will 'chmod 777 /tftpboot' to see what happens. I'll post back with the results.

So, nothing changed after performing chmod. I don't know if there is a particular line one has to change in some file to tell it to store in /tftpboot directory. I guess that's gotta be a default path, which i know it is. And the directory has permissions to do anything:
'drwxrwxrwx 2 nobody nobody 4096 Dec 11 16:16 tftpboot'
Could the fact that 'nobody' owns the directory and that user in /etc/xinetd.d/tftp is 'root' be the cuase of this problem?

acid_kewpie · 12-11-2006, 05:20 PM

not tried it myself, but i'd not expect a filename with a ; to be accepted, and wouldn't the second slash before the filename also be grounds to whine?