Table Of Contents
Using a TFTP Server
Installing a TFTP Server
Obtaining a Windows TFTP Server
Enabling UNIX TFTP Support
Enabling TFTP Access on a Sun Solaris System
Enabling TFTP Access on a Linux System
TFTP Download Error Codes
Determining the IP Address of Your TFTP Server
Windows NT, Windows 2000, or Windows XP
Windows 98 or Windows ME
Sun Solaris
Linux
Using a TFTP Server
This appendix describes how to use a TFTP server to access PIX Firewall or PDM images and includes the following sections:
•Installing a TFTP Server
•Determining the IP Address of Your TFTP Server
Installing a TFTP Server
You must have a TFTP server to install the PIX Firewall software. If your computer runs the Windows operating system and you are a registered Cisco.com user, you can download a TFTP server from Cisco.com or by FTP. The UNIX, Solaris, and Linux operating systems contain a TFTP server.
You must have an activation key that enables Data Encryption Standard (DES) or the more secure 3DES, which PDM requires for support of the Secure Socket Layer (SSL) protocol. If your PIX Firewall is not enabled for DES, you can have a new activation key sent to you by completing the form at the following website: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
This section includes the following topics:
•Obtaining a Windows TFTP Server
•Enabling UNIX TFTP Support
•TFTP Download Error Codes
Obtaining a Windows TFTP Server
You can download the TFTP server from the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp
Or, follow these steps to download the server by FTP:
Step 1 Start your FTP client and connect to ftp.cisco.com. (Enter your Cisco.com username and password.)
Step 2 You can view the files in the main directory by entering the ls command.
Step 3 Enter cd cisco to move to the top-level software directory.
Step 4 Enter cd web and then cd tftp to access the TFTP software directory.
Step 5 Enter ls to view the directory contents.
Step 6 Enter get to copy the TFTP executable file to your directory.
The file you download is a self-extracting archive that you can use with Windows 98, Windows ME, Windows NT version 4.0, Windows 2000, or Windows XP. Once the file is stored on your Windows system, double-click it to start the setup program. Then follow the prompts that appear to install the server on your system.
Enabling UNIX TFTP Support
The procedure for enabling TFTP access on your workstation varies depending on your operating system.
This section contains the following topics:
•Enabling TFTP Access on a Sun Solaris System
•Enabling TFTP Access on a Linux System
Enabling TFTP Access on a Sun Solaris System
Follow these steps to enable TFTP access on a Sun Solaris system:
Step 1 Log in as root.
Step 2 Add or uncomment the following line in your /etc/inetd.conf file:
tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd
Step 3 Specify the TFTP directory. By default it is /tftpboot unless you append "-s <directory>" in the previous step. View the in.tftpd man page for more information.
Step 4 Either reboot your system or use the following commands to find the "inetd" process and send it the SIGHUP signal to force it to reread the inetd.conf file:
Enabling TFTP Access on a Linux System
Follow these steps to enable TFTP access on a Linux system:
Note If you use Linux, these steps vary depend on whether or not you are using "inetd" or "xinetd." If you have the file "/etc/inetd.conf," you are using inetd. RedHat 7.0 uses "xinetd."
Step 1 Log in as root.
Step 2 If you are running Linux with "inetd," add or uncomment the following line in your /etc/inetd.conf file:
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd
If you are running Linux with "xinetd," Edit the /etc/xinetd.d/tftp file as follows:
a. Change the line "disable = yes" to "disable = no."
b. Change the line "user = nobody" to "user = root."
c. If you want to specify a different TFTP directory, replace "/tftpboot" in the line "server_args = -s /tftpboot" with the name of your directory.
Step 3 Enter the following command:
/etc/init.d/xinetd restart
TFTP Download Error Codes
PDM cannot be downloaded via TFTP from the PIX Firewall unit's monitor mode. You must use the copy tftp flash:pdm command described in "Installing PDM on a PIX Firewall."
During a TFTP download, non-fatal errors may appear in the midst of dots that display as the software downloads. The error code appears inside angle brackets. Table A-1 lists the code values.
For example, random bad blocks appear as follows:
....<11>..<11>.<11>......<11>...
Also, the display may show "A" and "T" for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.
Table A-1 TFTP Error Code Numeric Values
Error Code
|
Description
|
-1
|
Timeout between the PIX Firewall and TFTP server.
|
2
|
The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet.
|
3
|
The received packet was not from the server specified in the server command.
|
4
|
The IP header length was not big enough to be a valid TFTP packet.
|
5
|
The IP protocol type on the received packet was not UDP, which is the underlying protocol used by TFTP.
|
6
|
The received IP packet's destination address did not match the address specified by the address command.
|
7
|
The UDP ports on either side of the connection did not match the expected values. This means either the local port was not the previously selected port, or the foreign port was not the TFTP port, or both.
|
8
|
The UDP checksum calculation on the packet failed.
|
9
|
An unexpected TFTP code occurred.
|
10
|
A TFTP transfer error occurred.
|
-10
|
The image filename you specified cannot be found. Check the spelling of the filename and that permissions permit the TFTP server to access the file. In UNIX, the file needs to be world readable.
|
11
|
A TFTP packet was received out of sequence.
|
Error codes 9 and 10 cause the download to stop.
Determining the IP Address of Your TFTP Server
Loading a PIX Firewall or PDM image requires you to use TFTP. Before using TFTP, you need to determine the IP address of your computer. When you get the information, write it down for use in the "Installing PDM on a PIX Firewall," section on downloading the PDM software.
This section provides the information you need to determine your IP address, and includes the following topics:
•Windows NT, Windows 2000, or Windows XP
•Windows 98 or Windows ME
•Sun Solaris
•Linux
Windows NT, Windows 2000, or Windows XP
On a Windows workstation, click Start>Accessories>Command Prompt to launch the Windows command-line interface and then enter the ipconfig command as shown in the following example:
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 209.165.200.225
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 10.21.196.33
In this example, the IP address is of the computer is 209.165.200.225 with a network mask of 255.255.255.224.
Windows 98 or Windows ME
From a Windows 98 or Windows ME computer, you can view the IP address by clicking Start>Run and entering the winipcfg command. Windows then displays a graphical user interface (GUI) listing the IP address information.
Sun Solaris
Enter the /sbin/ifconfig -a command to view your IP address, as shown in the following example:
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 209.165.200.225 netmask ffffffe0 broadcast 209.165.200.255
In this example, the IP address of the host is 209.165.200.225 with a netmask of 255.255.255.224. (ffffffe0 is the hexadecimal equivalent to 255.255.255.224.)
Linux
Enter the /sbin/ifconfig command to view your IP address, as shown in the following example:
eth0 Link encap:Ethernet HWaddr 00:D0:B7:5D:C0:56
inet addr:209.165.200.225 Bcast:209.165.200.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:189576 errors:0 dropped:0 overruns:0 frame:0
TX packets:414837371 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0x3000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:75397725 errors:0 dropped:0 overruns:0 frame:0
TX packets:75397725 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
In this example, the IP address of the computer is 209.165.200.225 with a netmask of 255.255.255.224, as displayed in the example. The remainder of the display provides information on the status of data transmission through the computer.