topic Re: tftp blocking on asa5510 in Network Security

tftp blocking on asa5510

jschweng — Mon, 11 Mar 2019 19:46:20 GMT

we have a network manager inside and a ris server outside of an asa

5510 firewall running ios version asa823-k8.bin

We have a rule on both the inside and outside interfaces allowing tftp through.

When tftp is initiated from the Netmager on hte inside the firewall allows out to the RIS server on destination port 69 and a ramdon source port.

The return traffic goes back to the Netmanager the destination port is the random source port that the NEtman Used and the Firewall blocks the traffic.

If I allow all UDP in its works fine.

shouldn't the firewall open up the ports to allow the traffic back in?

Am I missing something/

Re: tftp blocking on asa5510

PAUL GILBERT ARIAS — Mon, 07 Feb 2011 20:52:48 GMT

you are right. The return traffic of the original connection should be allow back in. Have you checked the logs or applied captures to see what is going on?

Re: tftp blocking on asa5510

jschweng — Mon, 07 Feb 2011 21:04:06 GMT

Yes Ive checked the log - its dropping the incoming packets sent back to the Netman on the Random port it sends on.

I found this post relative to PIX and it referred to a command "fixup protocol tftp" which I see as an option on my ASA's.

Any idea is this should be enabled on our ASA's to pass tftp traffic?

**************

The situation becomes more complicated if it is necessary to provide the clients’ access from the protected network to the external TFTP server.

Requesting the file, the client sends TFTP RRQ packet from a random UDP port to UDP 69 port of the TFTP server. As far as the packet is being sent from more protected network to the less protected one, firewall sends it to TFTP server. Transmitting the file, firewall adds to the table of translation a record that corresponds to the connection on UDP protocol between the chosen client’s port and port 69 of TFTP server. According to RFC 1350, the server sends to the client (from a random port) DATA TFTP packet. However, firewall rejects this packet because it cannot find the existing connection between the chosen server port and the client’s port in the table of translation.

Devices, like Cisco PIX, can review the passing TFTP traffic and dynamically add to the table of translation records, allowing TFTP answers to pass from the external network to the enterprise network. To enable this mode in Cisco PIX firewall there is a command fixup protocol tftp.

Re: tftp blocking on asa5510

PAUL GILBERT ARIAS — Mon, 07 Feb 2011 21:26:13 GMT

you need the inspect TFTP. Please read the following:

"The security appliance inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server"

Here is the link for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/i2_711.html#wp1639081

Re: tftp blocking on asa5510

jschweng — Mon, 07 Feb 2011 21:50:15 GMT

We have global policy which is the default right out of the box.

policy-map global-policy

class inspection_default

inspect tftp

class class_tftpt

inspect tftp

class class_tftp1

inspect tftp

service-policy global_policy global

Re: tftp blocking on asa5510

PAUL GILBERT ARIAS — Mon, 07 Feb 2011 21:57:03 GMT

what does those 2 additional class maps contain?

Can you send the sh run class-map

Re: tftp blocking on asa5510

jschweng — Mon, 07 Feb 2011 22:03:58 GMT

# show run class-map

class-map class_tftp1

match port udp range 1 1023

class-map class_tftp

match port udp range 1.24 65535

class-map inspection_default

match default-inspection-traffic

Re: tftp blocking on asa5510

PAUL GILBERT ARIAS — Mon, 07 Feb 2011 22:10:25 GMT

I don't think you need those two class maps in your policy map, the default inspect tftp should handle the traffic. If you can test removing that it would be great.

the traffic should be allowed back succesfully.

Re: tftp blocking on asa5510

jschweng — Mon, 07 Feb 2011 22:15:02 GMT

ok thanks I'll try that tomorrow and get back - most appreciated

Re: tftp blocking on asa5510

jschweng — Tue, 08 Feb 2011 22:09:24 GMT

I removed the other tftp class-maps and its still blocking the traffic. If i allow back in udp ports 1024-655xx then it works ok.

Is there anything that you have to do different to allow tftp return traffic?