Using a TFTP Server - PDF - PDF by klutzfu50

VIEWS: 29 PAGES: 8

									                                                                                    A P P E N D I X                      B
                       Using a TFTP Server

                       This appendix describes how to use a TFTP server to access PIX Firewall or PDM images.
                       This appendix includes the following sections:
                        •   Getting a TFTP Server
                        •   Determining the IP Address of Your TFTP Server



Getting a TFTP Server
                       You must have a TFTP server to install the PIX Firewall software. If your computer runs the Windows
                       operating system and you have a CCO login, you can download a TFTP server from Cisco from the Web
                       or by FTP. The UNIX, Solaris, and Linux operating systems contain a TFTP server.
                       This section includes the following topics:
                        •   Obtaining a Windows TFTP Server
                        •   Enabling UNIX TFTP Support
                        •   TFTP Download Error Codes


Obtaining a Windows TFTP Server
                       You can download the server from the following website:
                       http://www.cisco.com/cgi-bin/tablebuild.pl/tftp
                       Follow these steps to download the server by FTP:


              Step 1   Start your FTP client and connect to cco.cisco.com. Use your CCO username and password.
              Step 2   You can view the files in the main directory by entering the ls command.
              Step 3   Enter the cd cisco command to move to the top level software directory. Then enter the cd tftp command
                       to access the TFTP software directory. Use the ls command to view the directory contents.
              Step 4   Use the get command to copy the TFTP executable file to your directory.




                                                                           Cisco PIX Device Manager Installation Guide
78-13075-01                                                                                                              B-1
                                                                                            Appendix B   Using a TFTP Server
Getting a TFTP Server




                    The file you download is a self-extracting archive that you can use with Windows 98, Windows ME,
                    Windows NT version 4.0, or Windows 2000. Once the file is stored on your Windows system,
                    double-click it to start the setup program. Then follow the prompts that appear to install the server on
                    your system.
                    Use the following steps to download an image over TFTP using the monitor command:


          Step 1    Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK
                    character or press the Esc (Escape) key.
                    The monitor> prompt appears.
          Step 2    If desired, enter a question mark (?) to list the available commands.
          Step 3    Use the address command to specify the IP address of the PIX Firewall unit’s interface on which the
                    TFTP server resides.
          Step 4    Use the server command to specify the IP address of the host running the TFTP server.
          Step 5    Use the file command to specify the filename of the PIX Firewall image. In UNIX, the file needs to be
                    world readable for the TFTP server to access it.
          Step 6    If needed, enter the gateway command to specify the IP address of a router gateway through which the
                    server is accessible.
          Step 7    If needed, use the ping command to verify accessibility. Use the interface command to specify which
                    interface the ping traffic should use. If the PIX Firewall has only two interfaces, the monitor command
                    defaults to the inside interface.If this command fails, fix access to the server before continuing.
          Step 8    Use the tftp command to start the download.




          Cisco PIX Device Manager Installation Guide
B-2                                                                                                              78-13075-01
Appendix B    Using a TFTP Server
                                                                                                           Getting a TFTP Server




                      An example follows:
                      Rebooting....
                      PIX BIOS (4.0) #47: Sat May 8 10:09:47 PDT 2001
                      Platform PIX-525
                      Flash=AT29C040A @ 0x300

                      Use BREAK or ESC to interrupt flash boot.
                      Use SPACE to begin flash boot immediately.
                      Flash boot interrupted.
                      0: i8255X @ PCI(bus:0 dev:13 irq:11)
                      1: i8255X @ PCI(bus:0 dev:14 irq:10)

                      Using 1: i82558 @ PCI(bus:0 dev:14 irq:10), MAC: 0090.2722.f0b1
                      Use ? for help.
                      monitor> addr 192.168.1.1
                      address 192.168.1.1
                      monitor> serv 192.168.1.2
                      server 192.168.1.2
                      monitor> file pix601.bin
                      file cdisk
                      monitor> ping 192.168.1.2
                      Sending 5, 100-byte 0x5b8d ICMP Echoes to 192.168.1.2, timeout is 4 seconds:
                      !!!!!
                      Success rate is 100 percent (5/5)
                      monitor> tftp
                      tftp pix601.bin@192.168.1.2................................
                      Received 626688 bytes

                      PIX admin loader (3.0) #0: Mon Aug 7 10:43:02 PDT 1999
                      Flash=AT29C040A @ 0x300
                      Flash version 6.0.1, Install version 6.0.1

                      Installing to flash
                      …




              Note    You must have an activation (license) key that enables Data Encryption Standard (DES) or the more
                      secure 3DES, which PDM requires for support of the Secure Socket Layer (SSL) protocol.

                      To obtain a DES (56-bit) license key for the PIX Firewall, use the IPSec 56-bit Customer Registration
                      form. Accessing this form requires prior registration on Cisco.com at
                      http://www.cisco.com/register. However, access to this form does not require a purchase or service
                      contract. You can register as a guest and then proceed to fill out the form. The form is available at
                      the following website:

                      http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

                      You must purchase a 3DES (168-bit) license key, or have a service contract, to obtain a 3DES license
                      key. If you have already purchased a 3DES upgrade, and you have your Cisco PIX Firewall 3DES
                      upgrade document with the entitlement number printed on it, you can register your license key for
                      use on your PIX Firewall with the License Registration form. Accessing this form also requires prior
                      registration on Cisco.com at http://www.cisco.com/register. The License Registration form is
                      available at the following website:




                                                                           Cisco PIX Device Manager Installation Guide
78-13075-01                                                                                                                  B-3
                                                                                         Appendix B   Using a TFTP Server
Getting a TFTP Server




                    http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=301

                    You must also purchase or have a service contract to download PIX Firewall software.

                    You can now refer to “Installing PDM on an Existing PIX Firewall Unit” in Chapter 1, “Installing PDM
                    on a PIX Firewall” to continue installing PDM.


           Note     PDM cannot be downloaded via TFTP from the PIX Firewall unit’s monitor mode. You must use the
                    copy tftp flash:pdm command described in “Installing PDM on an Existing PIX Firewall Unit” in
                    Chapter 1, “Installing PDM on a PIX Firewall.”




          Cisco PIX Device Manager Installation Guide
B-4                                                                                                           78-13075-01
 Appendix B     Using a TFTP Server
                                                                                                               Getting a TFTP Server




Enabling UNIX TFTP Support
                        The procedure for enabling TFTP access on your workstation varies depending on your operating
                        system.
                        This section contains the following topics:
                         •    Enabling TFTP Access on a Sun Solaris System
                         •    Enabling TFTP Access on a Linux System


Enabling TFTP Access on a Sun Solaris System
                        Follow these steps to enable TFTP access on a Sun Solaris system:


               Step 1   Log in as root.
               Step 2   Add or uncomment the following line in your /etc/inetd.conf file:
                        Sun Solaris:
                        tftp       dgram    udp      wait      root     /usr/sbin/in.tftpd        in.tftpd


               Step 3   Specify the TFTP directory. By default it is /tftpboot unless you append “-s <directory>” in the previous
                        step. View the in.tftpd man page for more information.
               Step 4   Either reboot your system or use the following commands to find the “inetd” process and send it the
                        SIGHUP signal to force it to reread the inetd.conf file:
                        /bin/ps -ef | grep inetd
                        kill -1 inetd_process_ID




Enabling TFTP Access on a Linux System
                        Follow these steps to enable TFTP access on a Linux system:


                Note    If you use Linux, these steps vary depend on whether or not you are using “inetd” or “xinetd.” If you
                        have the file “/etc/inetd.conf,” you are using inetd. RedHat 7.0 uses “xinetd.”


               Step 1   Log in as root.
               Step 2   If you are running Linux with “inetd,” add or uncomment the following line in your /etc/inetd.conf file:
                        tftp       dgram    udp      wait      root     /usr/sbin/tcpd      in.tftpd

                        If you are running Linux with “xinetd,” Edit the /etc/xinetd.d/tftp file as follows:
                         a. Change the line “disable = yes” to “disable = no.”
                         b.   Change the line “user = nobody” to “user = root.”
                         c.   If you want to specify a different TFTP directory, replace “/tftpboot” in the line “server_args = -s
                              /tftpboot” with the name of your directory.




                                                                               Cisco PIX Device Manager Installation Guide
 78-13075-01                                                                                                                     B-5
                                                                                              Appendix B   Using a TFTP Server
 Getting a TFTP Server




           Step 3    Enter the following command: /etc/init.d/xinetd restart




TFTP Download Error Codes
                     During a TFTP download, non-fatal errors may appear in the midst of dots that display as the software
                     downloads. The error code appears inside angle brackets. Table 0-1 lists the code values.
                     For example, random bad blocks appear as follows:
                     ....<11>..<11>.<11>......<11>...

                     Also, the display may show “A” and “T” for ARP and timeouts, respectively. Receipt of non-IP packets
                     causes the protocol number to display inside parentheses.
                     Table 0-1 lists the TFTP error codes.

                     Table 0-1    Error Code Numeric Values

                         Error
                         Code    Description
                         -1      Timeout between the PIX Firewall and TFTP server.
                         2       The packet length as received from the Ethernet device was not big enough to be a valid
                                 TFTP packet.
                         3       The received packet was not from the server specified in the server command.
                         4       The IP header length was not big enough to be a valid TFTP packet.
                         5       The IP protocol type on the received packet was not UDP, which is the underlying protocol
                                 used by TFTP.
                         6       The received IP packet's destination address did not match the address specified by the
                                 address command.
                         7       The UDP ports on either side of the connection did not match the expected values. This
                                 means either the local port was not the previously selected port, or the foreign port was not
                                 the TFTP port, or both.
                         8       The UDP checksum calculation on the packet failed.
                         9       An unexpected TFTP code occurred.
                         10      A TFTP transfer error occurred.
                         -10     The image file name you specified cannot be found. Check the spelling of the filename and
                                 that permissions permit the TFTP server to access the file. In UNIX, the file needs to be
                                 world readable.
                         11      A TFTP packet was received out of sequence.

                     Error codes 9 and 10 cause the download to stop.




           Cisco PIX Device Manager Installation Guide
 B-6                                                                                                               78-13075-01
 Appendix B    Using a TFTP Server
                                                                                    Determining the IP Address of Your TFTP Server




Determining the IP Address of Your TFTP Server
                       Loading a PIX Firewall or PDM image requires you to use TFTP. Before using TFTP, you need to
                       determine the IP address of your computer. When you get the information, write it down for use in the
                       next section on downloading the PDM software.
                       This section provides the information you need to determine your IP address, and includes the following
                       topics:
                        •   Windows NT or Windows 2000
                        •   Windows 98 or Windows ME
                        •   Sun Solaris
                        •   Linux


Windows NT or Windows 2000
                       Start a DOS window by clicking Start>Programs>Command Prompt. Then enter the ipconfig
                       command as shown in the following example:
                       C:\>ipconfig

                       Windows 2000 IP Configuration

                       Ethernet adapter Local Area Connection:

                                 Connection-specific   DNS   Suffix    .   :
                                 IP Address. . . . .   . .   . . . .   .   : 209.165.200.225
                                 Subnet Mask . . . .   . .   . . . .   .   : 255.255.255.224
                                 Default Gateway . .   . .   . . . .   .   : 10.21.196.33

                       C:\>

                       In this example, the IP address is of the computer is 209.165.200.225 with a network mask of
                       255.255.255.224.


Windows 98 or Windows ME
                       From a Windows 98 or Windows ME computer, you can view the IP address by clicking Start>Run and
                       entering the winipcfg command. Windows then displays a graphic user interface listing the IP address
                       information.


Sun Solaris
                       Use the /sbin/ifconfig -a command to view your IP address, as shown in the following example:
                       % /sbin/ifconfig -a
                       lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
                               inet 127.0.0.1 netmask ff000000
                       hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
                               inet 209.165.200.225 netmask ffffffe0 broadcast 209.165.200.255

                       In this example, the IP address of the host is 209.165.200.225 with a netmask of 255.255.255.224, as
                       displayed in the last line of the example. (ffffffe0 is the hexadecimal equivalent to 255.255.255.224.)


                                                                              Cisco PIX Device Manager Installation Guide
 78-13075-01                                                                                                                   B-7
                                                                                          Appendix B   Using a TFTP Server
 Determining the IP Address of Your TFTP Server




Linux
                     Use the /sbin/ifconfig command to view your IP address, as shown in the following example:
                     % /sbin/ifconfig
                     eth0      Link encap:Ethernet HWaddr 00:D0:B7:5D:C0:56
                               inet addr:209.165.200.225 Bcast:209.165.200.255
                     Mask:255.255.255.224
                               UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
                               RX packets:189576 errors:0 dropped:0 overruns:0 frame:0
                               TX packets:414837371 errors:0 dropped:0 overruns:0 carrier:0
                               collisions:0 txqueuelen:100
                               Interrupt:10 Base address:0x3000

                     lo           Link encap:Local Loopback
                                  inet addr:127.0.0.1 Mask:255.0.0.0
                                  UP LOOPBACK RUNNING MTU:3924 Metric:1
                                  RX packets:75397725 errors:0 dropped:0 overruns:0 frame:0
                                  TX packets:75397725 errors:0 dropped:0 overruns:0 carrier:0
                                  collisions:0 txqueuelen:0

                     In this example, the IP address of the computer is 209.165.200.225 with a netmask of 255.255.255.224,
                     as displayed in the third and fourth lines of the example. The remainder of the display provides
                     information on the status of data transmission through the computer.




           Cisco PIX Device Manager Installation Guide
 B-8                                                                                                           78-13075-01

								
To top