Appendix A, Using a TFTP Server
Download this chapter
Appendix A, Using a TFTP ServerAppendix A, Using a TFTP Server
 Feedback

Table Of Contents

Using a TFTP Server

Installing a TFTP Server

Obtaining a Windows TFTP Server

Enabling UNIX TFTP Support

Enabling TFTP Access on a Sun Solaris System

Enabling TFTP Access on a Linux System

TFTP Download Error Codes

Determining the IP Address of Your TFTP Server

Windows NT, Windows 2000, or Windows XP

Windows 98 or Windows ME

Sun Solaris

Linux


Using a TFTP Server

This appendix describes how to use a TFTP server to access PIX Firewall or PDM images and includes the following sections:

Installing a TFTP Server

Determining the IP Address of Your TFTP Server

Installing a TFTP Server

You must have a TFTP server to install the PIX Firewall software. If your computer runs the Windows operating system and you are a registered Cisco.com user, you can download a TFTP server from Cisco.com or by FTP. The UNIX, Solaris, and Linux operating systems contain a TFTP server.

You must have an activation key that enables Data Encryption Standard (DES) or the more secure 3DES, which PDM requires for support of the Secure Socket Layer (SSL) protocol. If your PIX Firewall is not enabled for DES, you can have a new activation key sent to you by completing the form at the following website: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

This section includes the following topics:

Obtaining a Windows TFTP Server

Enabling UNIX TFTP Support

TFTP Download Error Codes

Obtaining a Windows TFTP Server

You can download the TFTP server from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp

Or, follow these steps to download the server by FTP:

Step 1 Start your FTP client and connect to ftp.cisco.com. (Enter your Cisco.com username and password.)

Step 2 You can view the files in the main directory by entering the ls command.

Step 3 Enter cd cisco to move to the top-level software directory.

Step 4 Enter cd web and then cd tftp to access the TFTP software directory.

Step 5 Enter ls to view the directory contents.

Step 6 Enter get to copy the TFTP executable file to your directory.

The file you download is a self-extracting archive that you can use with Windows 98, Windows ME, Windows NT version 4.0, Windows 2000, or Windows XP. Once the file is stored on your Windows system, double-click it to start the setup program. Then follow the prompts that appear to install the server on your system.

Enabling UNIX TFTP Support

The procedure for enabling TFTP access on your workstation varies depending on your operating system.

This section contains the following topics:

Enabling TFTP Access on a Sun Solaris System

Enabling TFTP Access on a Linux System

Enabling TFTP Access on a Sun Solaris System

Follow these steps to enable TFTP access on a Sun Solaris system:

Step 1 Log in as root.

Step 2 Add or uncomment the following line in your /etc/inetd.conf file: 

tftp    dgram   udp     wait    root    /usr/sbin/in.tftpd  in.tftpd

Step 3 Specify the TFTP directory. By default it is /tftpboot unless you append "-s <directory>" in the previous step. View the in.tftpd man page for more information.

Step 4 Either reboot your system or use the following commands to find the "inetd" process and send it the SIGHUP signal to force it to reread the inetd.conf file: 

/bin/ps -ef | grep inetd

kill -1 inetd_process_ID

Enabling TFTP Access on a Linux System

Follow these steps to enable TFTP access on a Linux system:

Note If you use Linux, these steps vary depend on whether or not you are using "inetd" or "xinetd." If you have the file "/etc/inetd.conf," you are using inetd. RedHat 7.0 uses "xinetd."

Step 1 Log in as root.

Step 2 If you are running Linux with "inetd," add or uncomment the following line in your /etc/inetd.conf file: 

tftp    dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd


If you are running Linux with "xinetd," Edit the /etc/xinetd.d/tftp file as follows:

a. Change the line "disable = yes" to "disable = no."

b. Change the line "user = nobody" to "user = root."

c. If you want to specify a different TFTP directory, replace "/tftpboot" in the line "server_args = -s /tftpboot" with the name of your directory.

Step 3 Enter the following command: 

/etc/init.d/xinetd restart

TFTP Download Error Codes

PDM cannot be downloaded via TFTP from the PIX Firewall unit's monitor mode. You must use the copy tftp flash:pdm command described in "Installing PDM on a PIX Firewall."

During a TFTP download, non-fatal errors may appear in the midst of dots that display as the software downloads. The error code appears inside angle brackets. Table A-1 lists the code values.

For example, random bad blocks appear as follows: 

....<11>..<11>.<11>......<11>...

Also, the display may show "A" and "T" for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.

Table A-1 TFTP Error Code Numeric Values 

Error Code
Description

-1

Timeout between the PIX Firewall and TFTP server.

2

The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet.

3

The received packet was not from the server specified in the server command.

4

The IP header length was not big enough to be a valid TFTP packet.

5

The IP protocol type on the received packet was not UDP, which is the underlying protocol used by TFTP.

6

The received IP packet's destination address did not match the address specified by the address command.

7

The UDP ports on either side of the connection did not match the expected values.  This means either the local port was not the previously selected port, or the foreign port was not the TFTP port, or both.

8

The UDP checksum calculation on the packet failed.

9

An unexpected TFTP code occurred.

10

A TFTP transfer error occurred.

-10

The image filename you specified cannot be found. Check the spelling of the filename and that permissions permit the TFTP server to access the file. In UNIX, the file needs to be world readable.

11

A TFTP packet was received out of sequence.


Error codes 9 and 10 cause the download to stop.

Determining the IP Address of Your TFTP Server

Loading a PIX Firewall or PDM image requires you to use TFTP. Before using TFTP, you need to determine the IP address of your computer. When you get the information, write it down for use in the "Installing PDM on a PIX Firewall," section on downloading the PDM software.

This section provides the information you need to determine your IP address, and includes the following topics:

Windows NT, Windows 2000, or Windows XP

Windows 98 or Windows ME

Sun Solaris

Linux

Windows NT, Windows 2000, or Windows XP

On a Windows workstation, click Start>Accessories>Command Prompt to launch the Windows command-line interface and then enter the ipconfig command as shown in the following example: 

C:\> ipconfig


Windows 2000 IP Configuration


Ethernet adapter Local Area Connection:


        Connection-specific DNS Suffix  . :

        IP Address. . . . . . . . . . . . : 209.165.200.225

        Subnet Mask . . . . . . . . . . . : 255.255.255.224

        Default Gateway . . . . . . . . . : 10.21.196.33


C:\>

In this example, the IP address is of the computer is 209.165.200.225 with a network mask of 255.255.255.224.

Windows 98 or Windows ME

From a Windows 98 or Windows ME computer, you can view the IP address by clicking Start>Run and entering the winipcfg command. Windows then displays a graphical user interface (GUI) listing the IP address information.

Sun Solaris

Enter the /sbin/ifconfig -a command to view your IP address, as shown in the following example: 

% /sbin/ifconfig -a

lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232

        inet 127.0.0.1 netmask ff000000 

hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500

        inet 209.165.200.225 netmask ffffffe0 broadcast 209.165.200.255

In this example, the IP address of the host is 209.165.200.225 with a netmask of 255.255.255.224. (ffffffe0 is the hexadecimal equivalent to 255.255.255.224.)

Linux

Enter the /sbin/ifconfig command to view your IP address, as shown in the following example: 

% /sbin/ifconfig

eth0      Link encap:Ethernet  HWaddr 00:D0:B7:5D:C0:56

          inet addr:209.165.200.225 Bcast:209.165.200.255 

Mask:255.255.255.224

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:189576 errors:0 dropped:0 overruns:0 frame:0

          TX packets:414837371 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100 

          Interrupt:10 Base address:0x3000 


lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:3924  Metric:1

          RX packets:75397725 errors:0 dropped:0 overruns:0 frame:0

          TX packets:75397725 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

In this example, the IP address of the computer is 209.165.200.225 with a netmask of 255.255.255.224, as displayed in the example. The remainder of the display provides information on the status of data transmission through the computer.