Using a TFTP Server [Cisco PIX Device Manager]

Table Of Contents

Using a TFTP Server

Getting a TFTP Server

Obtaining a Windows TFTP Server

Enabling UNIX TFTP Support

Enabling TFTP Access on a Sun Solaris System

Enabling TFTP Access on a Linux System

TFTP Download Error Codes

Determining the IP Address of Your TFTP Server

Windows NT or Windows 2000

Windows 98 or Windows ME

Sun Solaris

Linux

Using a TFTP Server

This appendix describes how to use a TFTP server to access PIX Firewall or PDM images.

This appendix includes the following sections:

•Getting a TFTP Server

•Determining the IP Address of Your TFTP Server

Getting a TFTP Server

You must have a TFTP server to install the PIX Firewall software. If your computer runs the Windows operating system and you have a CCO login, you can download a TFTP server from Cisco from the Web or by FTP. The UNIX, Solaris, and Linux operating systems contain a TFTP server.

This section includes the following topics:

•Obtaining a Windows TFTP Server

•Enabling UNIX TFTP Support

•TFTP Download Error Codes

Obtaining a Windows TFTP Server

You can download the server from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp

Follow these steps to download the server by FTP:

Step 1 Start your FTP client and connect to cco.cisco.com. Use your CCO username and password.

Step 2 You can view the files in the main directory by entering the ls command.

Step 3 Enter the cd cisco command to move to the top level software directory. Then enter the cd tftp command to access the TFTP software directory. Use the ls command to view the directory contents.

Step 4 Use the get command to copy the TFTP executable file to your directory.

The file you download is a self-extracting archive that you can use with Windows 98, Windows ME, Windows NT version 4.0, or Windows 2000. Once the file is stored on your Windows system, double-click it to start the setup program. Then follow the prompts that appear to install the server on your system.

Use the following steps to download an image over TFTP using the monitor command:

Step 1 Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK character or press the Esc (Escape) key.

The monitor> prompt appears.

Step 2 If desired, enter a question mark (?) to list the available commands.

Step 3 Use the address command to specify the IP address of the PIX Firewall unit's interface on which the TFTP server resides.

Step 4 Use the server command to specify the IP address of the host running the TFTP server.

Step 5 Use the file command to specify the filename of the PIX Firewall image. In UNIX, the file needs to be world readable for the TFTP server to access it.

Step 6 If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.

Step 7 If needed, use the ping command to verify accessibility. Use the interface command to specify which interface the ping traffic should use. If the PIX Firewall has only two interfaces, the monitor command defaults to the inside interface.If this command fails, fix access to the server before continuing.

Step 8 Use the tftp command to start the download.

An example follows:
Rebooting....
PIX BIOS (4.0) #47: Sat May 8 10:09:47 PDT 2001
Platform PIX-525
Flash=AT29C040A @ 0x300
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:13 irq:11)
1: i8255X @ PCI(bus:0 dev:14 irq:10)
Using 1: i82558 @ PCI(bus:0 dev:14 irq:10), MAC: 0090.2722.f0b1
Use ? for help.
monitor> addr 192.168.1.1
address 192.168.1.1
monitor> serv 192.168.1.2
server 192.168.1.2
monitor> file pix601.bin
file cdisk
monitor> ping 192.168.1.2
Sending 5, 100-byte 0x5b8d ICMP Echoes to 192.168.1.2, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp pix601.bin@192.168.1.2................................
Received 626688 bytes
PIX admin loader (3.0) #0: Mon Aug 7 10:43:02 PDT 1999
Flash=AT29C040A @ 0x300
Flash version 6.0.1, Install version 6.0.1
Installing to flash
...

Note You must have an activation (license) key that enables Data Encryption Standard (DES) or the more secure 3DES, which PDM requires for support of the Secure Socket Layer (SSL) protocol.

To obtain a DES (56-bit) license key for the PIX Firewall, use the IPSec 56-bit Customer Registration form. Accessing this form requires prior registration on Cisco.com at http://www.cisco.com/register. However, access to this form does not require a purchase or service contract. You can register as a guest and then proceed to fill out the form. The form is available at the following website:

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

You must purchase a 3DES (168-bit) license key, or have a service contract, to obtain a 3DES license key. If you have already purchased a 3DES upgrade, and you have your Cisco PIX Firewall 3DES upgrade document with the entitlement number printed on it, you can register your license key for use on your PIX Firewall with the License Registration form. Accessing this form also requires prior registration on Cisco.com at http://www.cisco.com/register. The License Registration form is available at the following website:

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=301

You must also purchase or have a service contract to download PIX Firewall software.

You can now refer to "Installing PDM on an Existing PIX Firewall Unit" in "Installing PDM on a PIX Firewall" to continue installing PDM.

Note PDM cannot be downloaded via TFTP from the PIX Firewall unit's monitor mode. You must use the copy tftp flash:pdm command described in "Installing PDM on an Existing PIX Firewall Unit" in "Installing PDM on a PIX Firewall."

Enabling UNIX TFTP Support

The procedure for enabling TFTP access on your workstation varies depending on your operating system.

This section contains the following topics:

•Enabling TFTP Access on a Sun Solaris System

•Enabling TFTP Access on a Linux System

Enabling TFTP Access on a Sun Solaris System

Follow these steps to enable TFTP access on a Sun Solaris system:

Step 1 Log in as root.

Step 2 Add or uncomment the following line in your /etc/inetd.conf file:

Sun Solaris:
tftp    dgram   udp     wait    root    /usr/sbin/in.tftpd  in.tftpd
Step 3 Specify the TFTP directory. By default it is /tftpboot unless you append "-s <directory>" in the previous step. View the in.tftpd man page for more information.

Step 4 Either reboot your system or use the following commands to find the "inetd" process and send it the SIGHUP signal to force it to reread the inetd.conf file:
/bin/ps -ef | grep inetd
kill -1 inetd_process_ID
Enabling TFTP Access on a Linux System

Follow these steps to enable TFTP access on a Linux system:

Note If you use Linux, these steps vary depend on whether or not you are using "inetd" or "xinetd." If you have the file "/etc/inetd.conf," you are using inetd. RedHat 7.0 uses "xinetd."

Step 1 Log in as root.

Step 2 If you are running Linux with "inetd," add or uncomment the following line in your /etc/inetd.conf file:
tftp    dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
If you are running Linux with "xinetd," Edit the /etc/xinetd.d/tftp file as follows:
a. Change the line "disable = yes" to "disable = no."

b. Change the line "user = nobody" to "user = root."

c. If you want to specify a different TFTP directory, replace "/tftpboot" in the line "server_args = -s /tftpboot" with the name of your directory.
Step 3 Enter the following command: /etc/init.d/xinetd restart
TFTP Download Error Codes

During a TFTP download, non-fatal errors may appear in the midst of dots that display as the software downloads. The error code appears inside angle brackets. Table 0-1 lists the code values.

For example, random bad blocks appear as follows:
....<11>..<11>.<11>......<11>...
Also, the display may show "A" and "T" for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.

Table 0-1 lists the TFTP error codes.

Table 0-1 Error Code Numeric Values

Error Code

Description

-1

Timeout between the PIX Firewall and TFTP server.

2

The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet.

3

The received packet was not from the server specified in the server command.

4

The IP header length was not big enough to be a valid TFTP packet.

5

The IP protocol type on the received packet was not UDP, which is the underlying protocol used by TFTP.

6

The received IP packet's destination address did not match the address specified by the address command.

7

The UDP ports on either side of the connection did not match the expected values. This means either the local port was not the previously selected port, or the foreign port was not the TFTP port, or both.

8

The UDP checksum calculation on the packet failed.

9

An unexpected TFTP code occurred.

10

A TFTP transfer error occurred.

-10

The image file name you specified cannot be found. Check the spelling of the filename and that permissions permit the TFTP server to access the file. In UNIX, the file needs to be world readable.

11

A TFTP packet was received out of sequence.

Error codes 9 and 10 cause the download to stop.

Determining the IP Address of Your TFTP Server

Loading a PIX Firewall or PDM image requires you to use TFTP. Before using TFTP, you need to determine the IP address of your computer. When you get the information, write it down for use in the next section on downloading the PDM software.

This section provides the information you need to determine your IP address, and includes the following topics:

•Windows NT or Windows 2000

•Windows 98 or Windows ME

•Sun Solaris

•Linux

Windows NT or Windows 2000

Start a DOS window by clicking Start>Programs>Command Prompt. Then enter the ipconfig command as shown in the following example:
C:\>ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 209.165.200.225
        Subnet Mask . . . . . . . . . . . : 255.255.255.224
        Default Gateway . . . . . . . . . : 10.21.196.33
C:\>
In this example, the IP address is of the computer is 209.165.200.225 with a network mask of 255.255.255.224.

Windows 98 or Windows ME

From a Windows 98 or Windows ME computer, you can view the IP address by clicking Start>Run and entering the winipcfg command. Windows then displays a graphic user interface listing the IP address information.

Sun Solaris

Use the /sbin/ifconfig -a command to view your IP address, as shown in the following example:
% /sbin/ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
        inet 127.0.0.1 netmask ff000000 
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        inet 209.165.200.225 netmask ffffffe0 broadcast 209.165.200.255
In this example, the IP address of the host is 209.165.200.225 with a netmask of 255.255.255.224, as displayed in the last line of the example. (ffffffe0 is the hexadecimal equivalent to 255.255.255.224.)

Linux

Use the /sbin/ifconfig command to view your IP address, as shown in the following example:
% /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:D0:B7:5D:C0:56
          inet addr:209.165.200.225 Bcast:209.165.200.255 
Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:189576 errors:0 dropped:0 overruns:0 frame:0
          TX packets:414837371 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          Interrupt:10 Base address:0x3000 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:75397725 errors:0 dropped:0 overruns:0 frame:0
          TX packets:75397725 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
In this example, the IP address of the computer is 209.165.200.225 with a netmask of 255.255.255.224, as displayed in the third and fourth lines of the example. The remainder of the display provides information on the status of data transmission through the computer.