topic hi Marius,I added the same in Network Security

Cannot tftp image from IOS rommon prompt via ASA device

jgohil — Tue, 12 Mar 2019 04:46:53 GMT

Need help configuring ASA to allow tftp download: cannot download tftp timesout Device 1 --> (Port 9 )Device 2 --> port 1(Device 2 ) --> switch --> tftp server Device 1 is sitting at rommon prompt. I would like to download an image to device 1. Device 1 configuration at rommon prompt is shown below: ap: set DEFAULT_ROUTER=192.168.10.1 IOS_STATIC_DEFAULT_GATEWAY=192.168.10.1 IOS_STATIC_IP_ADDR=192.168.10.2 IOS_STATIC_NETMASK=255.255.255.0 IP_ADDR=192.168.10.1 NETMASK=255.255.255.0 SERVERIP=171.70.42.151 Device 1 is connected to an ASA unit on port 9. ASA configuration is shown below. ciscoasa(config-if)# show run : Saved : : Serial Number: JAD18330047 : Hardware: ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 100.12(10)44 ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface GigabitEthernet1/1 nameif g1 security-level 0 ip address 172.24.22.49 255.255.0.0 ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/9 nameif g9 security-level 0 ip address 192.168.10.1 255.255.255.0 ! interface Management1/1 management-only shutdown no nameif no security-level no ip address ! ftp mode passive pager lines 24 mtu g1 1500 mtu g9 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 no ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:8a78f7d952a22f621855c62baecd3b2d : end Device 2 port 1 is connected to switch 172.24.22.49 ( and can access 171.70.42.151 tftp server ) Device 2 port 9 is connected to Device 1 192.168.10.2 I need to tftp image from device 1 rommon prompt using the following command: ( ap: copy tftp://171.70.42.151/auto/tftp-users/filename flash:filename)

you are missing the command

Marius Gunnerud — Fri, 19 Sep 2014 07:11:37 GMT

you are missing the command same-security-traffic permit inter-interface

add that and see if you are now able to tftp through the ASA.

Please remember to select a correct answer and rate helpful posts

hi Marius,I added the same

jgohil — Fri, 19 Sep 2014 13:01:04 GMT

hi Marius,

I added the same-security-traffic permit inter-interface command. still cannot tftp. Attached pic of my setup with the config

Are you able to ping the tftp

Marius Gunnerud — Fri, 19 Sep 2014 20:53:09 GMT

Are you able to ping the tftp server from the wlan?

WLAN is at rommon prompt;

jgohil — Fri, 19 Sep 2014 21:19:42 GMT

WLAN is at rommon prompt; there is no ping command available from the rommon prompt.

arp shows the following from WLAN rommon prompt:

ap: arp
255.255.255.255 ff:ff:ff:ff:ff:ff 0 6
192.168.10.1 88:f0:31:0d:5c:86 132 11

Please run the following

Marius Gunnerud — Sat, 20 Sep 2014 06:12:59 GMT

Please run the following packet tracer on the ASA and post the output here: packet-tracer input udp g9 172.24.22.97 12345 171.70.42.151 67 detailed

Note: changed server ip to be

jgohil — Sat, 20 Sep 2014 13:14:34 GMT

Note: changed server ip to be on the same network 172.24.22.97 ( attached pic )

ciscoasa# packet-tracer input g9 udp 192.168.10.2 12345 172.24.22.97 67 detail$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe5c86e70, priority=1, domain=permit, deny=false
hits=21, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=g9, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.24.22.97 using egress ifc g1

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe5c979b0, priority=2, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=g9, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe54a7800, priority=0, domain=nat-per-session, deny=true
hits=8184, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe5c8f710, priority=0, domain=inspect-ip-options, deny=true
hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=g9, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffe54a7800, priority=0, domain=nat-per-session, deny=true
hits=8186, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffe5c2ee50, priority=0, domain=inspect-ip-options, deny=true
hits=6, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=g1, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: g9
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

packet-tracer command using

jgohil — Sat, 20 Sep 2014 17:44:39 GMT

packet-tracer command using g1 port instead of g9:

ciscoasa# packet-tracer input g1 tcp 192.168.10.2 12345 172.24.22.97 67 ?

detailed Dump more detailed information
xml Output in xml format
<cr>
ciscoasa# packet-tracer input g1 tcp 192.168.10.2 12345 172.24.22.97 67 detail$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe5c27280, priority=1, domain=permit, deny=false
hits=23, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=g1, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.24.22.97 using egress ifc g1

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe5c2a210, priority=111, domain=permit, deny=true
hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=g1, output_ifc=g1

Result:
input-interface: g1
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

i added "same-security

jgohil — Sat, 20 Sep 2014 18:43:10 GMT

i added "same-security-traffic permit intra-interface"

but still cannot tftp from

copy tftp://172.24.22.97/filename flash:a

ciscoasa(config)# packet-tracer input g1 udp 192.168.10.2 12345 172.24.22.97 6$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.24.22.97 using egress ifc g1

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe5caed50, priority=3, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=g1, output_ifc=g1

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe54a7800, priority=0, domain=nat-per-session, deny=true
hits=12047, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe5c2ee50, priority=0, domain=inspect-ip-options, deny=true
hits=6, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=g1, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffe54a7800, priority=0, domain=nat-per-session, deny=true
hits=12049, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffe5c2ee50, priority=0, domain=inspect-ip-options, deny=true
hits=8, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=g1, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: g1
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

same-security-traffic permit

Marius Gunnerud — Sat, 20 Sep 2014 19:10:27 GMT

same-security-traffic permit intra-interface is for traffic entering and leaving the same interface (ie. entering one sub interface and leaving through another sub interface) so this will not be of any use in this situation.

Your packet tracer for g1 interface is incorrect. when doing the packet tracer on g1 you need to have the source IP of the tftp server not the WLAN.

packet-tracer input udp g1 172.24.22.97 12345 192.168.10.2 67 detailed

But as per the first packet tracer the traffic flow is permitted through the firewall. Have you made sure the TFTP server is setup correctly? You could try to put an ACL on both g1 and g9 that permits IP between WLAN and the TFTP server and see if that helps...though I do not expect it to help.

Could you set up a packet capture between the g1 and g9 interface for the WLAN and TFTP server and then try to do a TFTP transfer. Check the output to see if there is any drop and / or that you see both the request and reply for each packet.

Please remember to select a correct answer and rate helpful posts

don't see any activity ( or

jgohil — Sun, 21 Sep 2014 00:06:39 GMT

don't see any activity ( or not enough )

ciscoasa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 101; 1 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit ip any any (hitcnt=0) 0x28676dfa
ciscoasa(config)# show cap
capture 101 type raw-data interface g9 [Capturing - 2225 bytes]
capture 102 type raw-data interface g1 [Capturing - 0 bytes]
match ip host 192.168.10.2 host 172.24.22.97
match ip 192.0.0.0 255.0.0.0 172.0.0.0 255.0.0.0
capture 103 type raw-data ethernet-type ip trace interface g9 [Capturing - 623 bytes]

ciscoasa(config)# show cap 101

7 packets captured

1: 17:03:10.137978 192.168.10.1.1031 > 172.24.22.97.69: udp 40
2: 17:03:13.889953 192.168.10.1.1031 > 172.24.22.97.69: udp 40
3: 17:03:29.229465 192.168.10.1.1031 > 172.24.22.97.69: udp 40
4: 17:03:44.568986 192.168.10.1.1031 > 172.24.22.97.69: udp 40
5: 17:03:59.908446 192.168.10.1.1031 > 172.24.22.97.69: udp 40
6: 17:04:15.247957 192.168.10.1.1031 > 172.24.22.97.69: udp 40
7: 17:04:30.587478 192.168.10.1.1031 > 172.24.22.97.69: udp 40
7 packets shown
ciscoasa(config)# show cap 102

0 packet captured

0 packet shown
ciscoasa(config)# show cap 103

7 packets captured

Could you post the commands

Marius Gunnerud — Sun, 21 Sep 2014 16:03:07 GMT

Could you post the commands you used to create the packet capture please.

As per the output, we don't see any return traffic from the TFTP server so it would seem that there is an issue between the ASA and the TFTP server. Is the TFTP server a windows server? if so have you turned off the windows firewall? is there any other software firewall installed on the TFTP server that you may have forgotten to turn off during your transfer?

Please remember to select a correct answer and rate helpful posts