https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227909#M346963 <HTML><HEAD></HEAD><BODY><P>more ideas ...</P><P></P><P>1) is there a connection on UDP/69 directly before this UDP/33442 traffic is seen on the Checkpoint?</P><P>2) Look at your ASA log to see which traffic relates to your tftp-process to corelate that with the ChackPoint-Log.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Mon, 08 Jul 2013 13:30:41 GMT Karsten Iwen 2013-07-08T13:30:41Z https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227905#M346947 <P>we have a pair of ASA that are on the Zone1(x.x.33.100), and we have TFTP server(x.x.223.108) on the Inside Zone. Zones are seperated by a Checkpoint FW. When I generate a tftp traffic to copy running config to the tftp server from the ASAs, the Checkpoint show a redam port number like 33442 somthing, instead a UDP 69.</P><P></P><P>Can any of you tell me why it is not 69? The configuration on the ASAs regarding for the traffic are default.</P><P></P><P>thanks,</P><P>Han</P><P></P><P></P><P><IMG src="https://community.cisco.com/" /></P> Tue, 12 Mar 2019 02:07:55 GMT https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227905#M346947 hanwucisco 2019-03-12T02:07:55Z https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227906#M346950 <HTML><HEAD></HEAD><BODY><P>Just add a pic of the traffic on the checkpoint,</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/8/5/144580-Capture-ASA.PNG" class="jive-image" /></P></BODY></HTML> Fri, 05 Jul 2013 20:52:25 GMT https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227906#M346950 hanwucisco 2013-07-05T20:52:25Z https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227907#M346954 <HTML><HEAD></HEAD><BODY><P>TFTP uses a dynamic DATA-port, similar to FTP. Thats what this additional port should be in the Checkpoint-Log. If that traffic is denied, you have to enable TFTP-Inspection on the CheckPoint.<BR /><BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Fri, 05 Jul 2013 21:26:25 GMT https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227907#M346954 Karsten Iwen 2013-07-05T21:26:25Z https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227908#M346959 <HTML><HEAD></HEAD><BODY><P>Karsten,</P><P>Our Checkpoint guy told me that the Inspection is enabled and this traffic is a "new initiation", meaning it is started to reach port 33442, instead of 69. </P><P>any idea?</P><P>thanks,</P><P>Han</P></BODY></HTML> Mon, 08 Jul 2013 13:11:13 GMT https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227908#M346959 hanwucisco 2013-07-08T13:11:13Z https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227909#M346963 <HTML><HEAD></HEAD><BODY><P>more ideas ...</P><P></P><P>1) is there a connection on UDP/69 directly before this UDP/33442 traffic is seen on the Checkpoint?</P><P>2) Look at your ASA log to see which traffic relates to your tftp-process to corelate that with the ChackPoint-Log.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Mon, 08 Jul 2013 13:30:41 GMT https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227909#M346963 Karsten Iwen 2013-07-08T13:30:41Z https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227910#M346965 <HTML><HEAD></HEAD><BODY><P>Karsten,</P><P>No UDP/69 seen. The ASA logs look strange to me. I dont find any traffic in the log to destination of the TFTP server and there are a lot message as following,</P><PRE><A name="wp6175477"> </A>%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection <EM>protocol</EM> src <EM>interface_name</EM>:<EM>source_address</EM>/<EM>source_port </EM>[(<EM>idfw_user</EM>)] dst <EM>interface_name</EM>:<EM>dst_address</EM>/<EM>dst_port </EM>[(<EM>idfw_user</EM>)] denied due to NAT reverse path failure.</PRE><P></P><P></P><P>thanks,</P><P></P><P>Han</P></BODY></HTML> Mon, 08 Jul 2013 14:51:12 GMT https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227910#M346965 hanwucisco 2013-07-08T14:51:12Z https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227911#M346967 <HTML><HEAD></HEAD><BODY><P>The reason is that someone had a typo on the ACL and we corrected. As to why this typo can make that kind of symtom, i have got myself understood yet. </P><P>but thanks,</P><P>Han</P></BODY></HTML> Wed, 17 Jul 2013 17:09:52 GMT https://community.cisco.com/t5/network-security/tftp-port-number-not-69/m-p/2227911#M346967 hanwucisco 2013-07-17T17:09:52Z