TFTP over Firewall: How to get it working
TFTP protocol use often involves difficulties in the networks with firewalls or NAT. It is connected to the fact that TFTP protocol uses UDP as transport and, also with the way of files transmission.
TFTP protocol is used as a simple means of transport where the clients' computational power is limited and the means of access authorization are not necessary. Use of UDP as a protocol of transport level lets lessen requirements to the CPU and the RAM. However, UDP is not a protocol with connection establishment. Therefore, the connections are provided by the protocol of application level, i.e. the TFTP protocol. Most of firewalls do not know the way of identification in TFTP protocol that is why these devices can not pass through this traffic type correctly.
Settings, necessary for TFTP in protected secured network depend on the clients and TFTP server locations relatively to the firewall. In the simplest case the TFTP server is in protected network and the clients are in front of the firewall. If the firewall is configured correctly, no problems arise, as a rule. For correct work of TFTP server in this network you should apply the following settings to the firewall:
Add the rule of static translation of TFTP traffic (UDP 69 port) from one of external IP-addresses to the address of TFTP server in the internal network.
Allow TFTP traffic from the public network to the external IP-address, for which the rule of translation has been configured.
Allow all UDP traffic from TFTP server to the external network. Default settings in many types of devices do not limit the traffic from more protected network to less protected network. In case there are limitations in your device you should configure an explicit rule to allow traffic in the external network.
Cisco PIX device must be configured to publish TFTP server, being in DMZ network of an enterprise. TFTP server must be available from public network. The TFTP server address in DMZ is 10.0.0.2. The public address of the enterprise network is 188.8.131.52. To publish the TFTP server it is necessary to execute the following command on the firewall:
static (inside,outside) udp 184.108.40.206 tftp 10.0.0.2 tftp netmask 255.255.255.255 0 0
conduit permit udp host 220.127.116.11 eq tftp any
The first command adds the rule, according to which TFTP traffic, coming to the address 18.104.22.168 is translated to the address 10.0.0.2. The second command allows TFTP traffic to the external network address. The traffic from the internal to external network is allowed on default.
The situation becomes more complicated if it is necessary to provide the clients' access from the protected network to the external TFTP server. Requesting the file, the client sends TFTP RRQ packet from a random UDP port to UDP 69 port of the TFTP server. As far as the packet is being sent from more protected network to the less protected one, firewall sends it to TFTP server. Transmitting the file, firewall adds to the table of translation a record that corresponds to the connection on UDP protocol between the chosen client's port and port 69 of TFTP server. According to RFC 1350, the server sends to the client (from a random port) DATA TFTP packet. However, firewall rejects this packet because it cannot find the existing connection between the chosen server port and the client's port in the table of translation.
Devices, like Cisco PIX, can review the passing TFTP traffic and dynamically add to the table of translation records, allowing TFTP answers to pass from the external network to the enterprise network. To enable this mode in Cisco PIX firewall there is a command fixup protocol tftp.
Another way to solve the problem is to make TFTP server use port 69 not only to receive requests, but also to send the answers to the clients. In this case firewall will correctly transmit the answers to the client according to the record from the table of translation. You can enable this mode in WinAgents TFTP Server by option 'Enable firewall support' in the program settings window.