topic Re: cant do TFTP from outside the firewall even with allowing tf in Network Security

cant do TFTP from outside the firewall even with allowing tftp

pemasirid — Mon, 11 Mar 2019 19:57:03 GMT

Hi,

I'm having issue with doing tftp to device behind the firewall (ASA) even though I have allow tftp from outside. Here is the message I see on the console.

ciscoasa/C2(config)#

ciscoasa/C2(config)# %ASA-6-302016: Teardown UDP connection 113 for Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes 80

%ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0 to Inside:1.1.4.2/64253 duration 0:02:19 bytes 0

%ASA-7-609002: Teardown local-host Outside:150.1.1.241 duration 0:06:04

Here is the message I see on the device where I'm trying to tftp

R2#copy flash: tftp:

Source filename []? IOSCA.ser

Address or name of remote host []? 150.1.1.241

Destination filename [IOSCA.ser]?

.....

%Error opening tftp://150.1.1.241/IOSCA.ser (Timed out)

R2#

Here is my ACL on ASA applied to outside interface

ciscoasa/C2# sh run acc

ciscoasa/C2# sh run access-l

ciscoasa/C2# sh run access-list out

access-list out extended permit icmp any any

access-list out extended permit esp host 1.1.6.3 host 1.1.4.2

access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq isakmp

access-list out extended permit udp host 150.1.1.241 host 1.1.4.2 eq tftp

access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq ntp

access-list out extended permit udp host 1.1.3.1 host 1.1.4.2 gt 33434

access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 gt 33434

access-list out extended permit udp host 1.1.6.4 host 1.1.4.2 eq isakmp

access-list out extended permit esp host 1.1.6.4 host 1.1.4.2

access-list out extended permit udp any host 1.1.4.2 eq tftp

Appreciate if someone can find the issue..

thanks

Re: cant do TFTP from outside the firewall even with allowing tf

Collin Clark — Fri, 25 Feb 2011 21:49:21 GMT

Do you have a NAT translation for 1.1.4.2?

Re: cant do TFTP from outside the firewall even with allowing tf

Federico Coto Fajardo — Fri, 25 Feb 2011 21:51:52 GMT

You're tring to TFTP to a server behind the ASA....

The NAT address is 150.1.1.241?

You have a static NAT to allow inbound traffic to this host from the outside?

Then assuming the above IP is the static NAT IP, and the ACL out is assigned to the outside, you need:

access-list out extended permit udp any host 150.1.1.241 eq tftp

Hope it helps.

Federico.

Re: cant do TFTP from outside the firewall even with allowing tf

pemasirid — Fri, 25 Feb 2011 21:53:30 GMT

Nope, its nat-control not enabled..

it works without firewall (bypassing asa)...

Re: cant do TFTP from outside the firewall even with allowing tf

Federico Coto Fajardo — Fri, 25 Feb 2011 21:55:23 GMT

You're trying to TFTP to 150.1.1.241 and I don't see it being permitted in the ACL.

Federico.

Re: cant do TFTP from outside the firewall even with allowing tf

Collin Clark — Fri, 25 Feb 2011 21:57:42 GMT

Does 150.1.1.241 have a route to the TFTP server? Are you seeing a deny in your logs?

Re: cant do TFTP from outside the firewall even with allowing tf

pemasirid — Fri, 25 Feb 2011 21:58:24 GMT

Hi,

firewall is not doing any NAT (no nat-control) and my ip 150.1.1.241 is the outside ip and my router where I need to do tftp it 1.1.4.2.

I have already allowed tftp from outside to 1.1.4.2 and also enabled inspection on tftp under global-policy...

Re: cant do TFTP from outside the firewall even with allowing tf

pemasirid — Fri, 25 Feb 2011 22:00:08 GMT

yes, it has route to TFTP...have a look below

R2#copy flash: tftp:

Source filename []? IOSCA.ser

Address or name of remote host []? 150.1.1.241

Destination filename [IOSCA.ser]?

.....

%Error opening tftp://150.1.1.241/IOSCA.ser (Timed out)

R2#

R2#ping 150.1.1.241

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.1.241, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

R2#

Re: cant do TFTP from outside the firewall even with allowing tf

Federico Coto Fajardo — Fri, 25 Feb 2011 22:02:08 GMT

packet-tracer input outside udp 150.1.1.241 1025 1.1.4.2 69 det

The above should show if an inbound TFTP connection between those IPs is allowed and succesful.

Federico.

Re: cant do TFTP from outside the firewall even with allowing tf

Collin Clark — Fri, 25 Feb 2011 22:02:40 GMT

I assume that the TFTP server logs doesn't show a connection attempt? Is there any info on the connection in the ASA logs? Can you try a packet tracer and see where it is failing?

Re: cant do TFTP from outside the firewall even with allowing tf

pemasirid — Fri, 25 Feb 2011 22:47:47 GMT

Hi Colin/Fedarico,

thanks a lot for both of your responses.. However I was in hurry to change the topology and I have already did the write erase..anyway its a good tool which I fortoton to check..but surly on my next try I will do and let you both know the update..

Re: cant do TFTP from outside the firewall even with allowing tf

Federico Coto Fajardo — Fri, 25 Feb 2011 22:50:01 GMT

Going over the thread Collin was correct from the start.

Just let us know when you need assistance 🙂

Federico.