topic Is it possible that Server in Network Security

Cisco ASA 5505 TFTP (Access Violation)

Matt S — Tue, 12 Mar 2019 08:51:55 GMT

I am trying to send a new asdm image to my cisco asa 5505 firewall. I have tftpd64 installed on Server 2008 R2 and the file I'm trying to send is in the same directory as the tftpd64; so it is accessible. The tftpd64 shows the IP of the server, security is set to none, and is set to tftp server (in settings under GLOBAL tab)

On the cisco asa 5505 I have performed the following command to give access to the tftp server and copy the file

cisco(config)# tftp-server inside 10.4.1.3 255.255.255.0

cisco(config)# copy tftp disk0:

Address or name of remote host [10.4.1.3]?

Source filename [255.255.255.0]? asdm-771.bin

Destination filename [asdm-771.bin]?

Accessing tftp://10.4.1.3/asdm-771.bin;int=inside... %Error reading tftp://10.4.1.3/asdm-771.bin;int=inside (Access violation.)

I am not sure why I'm getting access violation. I was able to transfer the file from a remote machine through a VPN connection but the speeds are so slow it timed out at around 15%. This is why I decided to move the file to the remote server and then do a tftp transfer of the image file.

Is it possible that Server

Richard Burts — Wed, 01 Feb 2017 16:12:33 GMT

Is it possible that Server 2008 R2 has security policy that restricts access to the directory where the file is?

In tftpd64 if you click on the list option do you see your asdm image listed?

HTH

Rick

Hello,

Georg Pauwen — Wed, 01 Feb 2017 16:24:03 GMT

Hello,

I think the file needs to exist in the directory, and you need to have authorization to overwrite it. Can you try to create the file with the exact file name in the destination directory ?

In tftpd64 I click on Show

Matt S — Wed, 01 Feb 2017 16:24:37 GMT

In tftpd64 I click on Show Dir; I see the file, yes.

There are also no group policies in effect, and the windows firewall is off on the server 2008 R2

The file is located in C:\tftpd64\asdm-771.bin

cisco# mkdir disk0:/asdm-771

Matt S — Wed, 01 Feb 2017 16:34:46 GMT

cisco# mkdir disk0:/asdm-771.bin

Create directory filename [asdm-771.bin]?

Created dir disk0:/asdm-771.bin
cisco# sho flash
--#-- --length-- -----date/time------ path
151 2048 Feb 01 2017 10:26:47 asdm-771.bin
21 2048 Dec 30 2011 06:10:58 coredumpinfo
22 59 Mar 19 2015 15:01:48 coredumpinfo/coredump.cfg
10 2048 Dec 30 2011 06:40:08 log
20 2048 May 29 2012 07:15:04 crypto_archive
147 394148 May 17 2012 07:06:40 crypto_archive/crypto_eng0_arch_1.bin
148 394148 May 29 2012 07:15:04 crypto_archive/crypto_eng0_arch_2.bin
135 12105313 Dec 30 2011 06:42:50 csd_3.5.841-k9.pkg
136 2048 Dec 30 2011 06:42:52 sdesktop
150 1462 Dec 30 2011 06:42:52 sdesktop/data.xml
137 2857568 Dec 30 2011 06:42:52 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
138 38367184 Aug 01 2016 17:40:50 anyconnect-win-3.1.09013-k9.pkg
139 12370 Mar 19 2015 15:01:24 8_2_5_0_startup_cfg.sav
140 30486528 May 07 2015 18:52:42 asa923-4-k8.bin

128573440 bytes total (41824256 bytes free)
cisco# conf t
cisco(config)# copy tftp disk0:

Address or name of remote host [10.4.1.3]?

Source filename [255.255.255.0]? asdm-771.bin

Destination filename [asdm-771.bin]?

%Warning:There is a file already existing with this name
Do you want to over write? [confirm]

Accessing tftp://10.4.1.3/asdm-771.bin;int=inside...
%Error reading tftp://10.4.1.3/asdm-771.bin;int=inside (Access violation.)
cisco(config)#

Still unsuccessful

Hello Matt,

Georg Pauwen — Wed, 01 Feb 2017 16:57:26 GMT

Hello Matt,

do you have 'managment-access inside' configured ? Can you post the config of the ASA ?

I do have management-access

Matt S — Wed, 01 Feb 2017 17:18:20 GMT

I do have management-access-inside

I attached configurations in .txt

Hello Matt,

Georg Pauwen — Wed, 01 Feb 2017 19:50:27 GMT

Hello Matt,

I am not sure about the 'allow-scc-mgmt' command on your Vlan1 interface, as this would require the configuration line in bold as well (where 10.4.1.2/24 is an unused address from the Vlan 1 range, yours might be different)

interface Vlan1
nameif inside
security-level 100
allow-ssc-mgmt
management-only
ip address 10.4.1.1 255.255.255.0

hw-module module 1 ip 10.4.1.2 255.255.255.0 10.4.1.1

This is most likely a

Marius Gunnerud — Wed, 01 Feb 2017 21:31:44 GMT

This is most likely a permissions issue on the Server. Any chance of trying to copy the file from a PC?

What does the log in tftpd64 say?

Please remember to select a correct answer and rate helpful posts

Thanks for confirming that

Richard Burts — Wed, 01 Feb 2017 21:31:51 GMT

Thanks for confirming that the file is in the directory where tftpd64 is looking and confirming that there are no security policies on the server which would impact your copying the file.

I notice that all of your logging levels are set to critical. I would suggest changing (temporarily) to informational and then checking the logs as you attempt the file copy and see if there are any log messages that shed light on the problem.

HTH

Rick

This is all the information

Matt S — Wed, 01 Feb 2017 21:36:08 GMT

This is all the information the logs on the tftpd provide:

Connection received from 10.4.1.1 on port 51958 [31/01 16:46:35.054]
Read request for file <asdm-771.bin>. Mode octet [31/01 16:46:35.054]
Using local port 56989 [31/01 16:46:35.161]
Peer returns ERROR <> -> aborting transfer [31/01 16:46:35.559]

I will try to transfer from a PC and see if the results change.

I am not sure where the

Richard Burts — Wed, 01 Feb 2017 21:37:50 GMT

I am not sure where the config command management-only comes from (I do not see it in the config copy that I saw in the thread) and I am concerned about it. It would not allow data traffic to use this interface.

HTH

Rick

Georg -

Matt S — Wed, 01 Feb 2017 21:38:58 GMT

Georg -

Thanks for your reply -

Could provide a little more detail as to what you mean? Doesn't the command you provided have to do with accessing the IDS module?

Thanks!

Hello,

Georg Pauwen — Wed, 01 Feb 2017 22:04:56 GMT

Hello,

as far as I remember, the 'allow ssc-mgmt' command is used to provide access to an SSC (Security Services Card), which does not have any external interfaces. The corresponding 'hw-module' command is needed to provide access to the card through the IP address specified. I assume you have an SCC installed ?

Sure enough, as soon as I

Matt S — Wed, 01 Feb 2017 22:21:59 GMT

Sure enough, as soon as I tried on PC, worked like a champ. Should have tried this hours ago.

Any idea where or what permission would cause the access violation on a server as opposed to a workstation?

Hello Matt,

Georg Pauwen — Wed, 01 Feb 2017 23:30:25 GMT

Hello Matt,

is the IP address of the PC in the same subnet as that of the server, 10.4.1.0/24 ?

I haven't worked with servers

Marius Gunnerud — Thu, 02 Feb 2017 09:36:32 GMT

I haven't worked with servers in quite a while now, but remembering back to when I did work with them, I remember that the 2008 R2 had some really strict and (in my opinion) strange security setting. for example, I was trying to pre-stage a server 2008 R2 for a client but I was unable to do so unless the server detected another device on the local network.

So I do not know which security settings it would be that need to be changed. Perhaps someone else here knows..

Please remember to select a correct answer and rate helpful posts

Yes, the PC is 10.4.1.101,

Matt S — Thu, 02 Feb 2017 12:45:13 GMT

Yes, the PC is 10.4.1.101, server was 10.4.1.3, and asa was 10.4.1.1

Re: Cisco ASA 5505 TFTP (Access Violation)

chris-goulder — Mon, 19 Feb 2018 08:42:43 GMT

One cause for this is if the server you are trying to run tftpd on is already running the windows deployment services server (WDSS), which includes a tftp service and that will own udp port 69 on the platform.

In this case tftpd will run without warnings but when tftp'ing to the platform you are talking to WDSS and not tftpd

netstat -a -b will show if port 69 already listening and which process owns it

If WDSS running, temp disable it while you run tftpd

(the WDSS tftp service itself is not great)

Re: Cisco ASA 5505 TFTP (Access Violation)

godfrey_mungora — Wed, 05 Dec 2018 09:09:57 GMT

Had ran into the same problem issue was i was running tftpd32 with a standard windows account, make sure you run it as admin.