https://community.cisco.com/t5/network-security/acl/m-p/2423607#M921900 <P>Not really. There are a couple of flaws in your premises - Please refer to<A href="https://supportforums.cisco.com/discussion/10928691/acl-tftp-traffic"> this thread</A> for a better ACL setup.</P><P>Generally speakng tftp only uses udp/69 for the initial destination protocol and port. The initial source port is randomly chosen and that exchange also sets up the Transaction ID (TID) which influences the subsequent udp ports used for the actual transfer. See also this <A href="http://books.google.com/books?id=isybabuADPkC&amp;pg=PA610&amp;lpg=PA610&amp;dq=tftp+source+and+destination+ports&amp;source=bl&amp;ots=XbJ0CZ6jAU&amp;sig=CBfBIxiHgUyHITrq7BtRTO_hyzA&amp;hl=en&amp;sa=X&amp;ei=23U9U9nSDsuksQTX7YCQAw&amp;ved=0CGwQ6AEwBw#v=onepage&amp;q=tftp%20source%20and%20destination%20ports&amp;f=false">book excerpt</A> for a more in-depth explanation:</P><P>&nbsp;</P> Thu, 03 Apr 2014 15:02:54 GMT Marvin Rhoads 2014-04-03T15:02:54Z https://community.cisco.com/t5/network-security/acl/m-p/2423606#M921898 <H5 class="uiStreamMessage" data-ft="{&quot;type&quot;:1,&quot;tn&quot;:&quot;K&quot;}" style="font-size: 11px; color: rgb(0, 0, 0); margin-top: 0px; margin-bottom: 5px; padding: 0px; word-break: break-word; word-wrap: break-word; font-family: Helvetica, Arial, 'lucida grande', tahoma, verdana, arial, sans-serif;"><SPAN class="messageBody" data-ft="{&quot;type&quot;:3,&quot;tn&quot;:&quot;K&quot;}" style="color: rgb(51, 51, 51); font-size: 14px; line-height: 1.38;">Shouldnt this acl permit tftp from host 10.0.0.68, but deny any other tftp request? and also permit any other request other then tftp?<BR /><BR />access-list 100 permit udp host 10.0.0.68 eq tftp host 10.0.0.82 eq tftp<BR /><BR />access-list 100 deny udp any eq tftp any eq tftp<BR /><BR />access-list 100 permit ip any any</SPAN></H5> Fri, 21 Feb 2020 13:09:02 GMT https://community.cisco.com/t5/network-security/acl/m-p/2423606#M921898 danielbj66 2020-02-21T13:09:02Z https://community.cisco.com/t5/network-security/acl/m-p/2423607#M921900 <P>Not really. There are a couple of flaws in your premises - Please refer to<A href="https://supportforums.cisco.com/discussion/10928691/acl-tftp-traffic"> this thread</A> for a better ACL setup.</P><P>Generally speakng tftp only uses udp/69 for the initial destination protocol and port. The initial source port is randomly chosen and that exchange also sets up the Transaction ID (TID) which influences the subsequent udp ports used for the actual transfer. See also this <A href="http://books.google.com/books?id=isybabuADPkC&amp;pg=PA610&amp;lpg=PA610&amp;dq=tftp+source+and+destination+ports&amp;source=bl&amp;ots=XbJ0CZ6jAU&amp;sig=CBfBIxiHgUyHITrq7BtRTO_hyzA&amp;hl=en&amp;sa=X&amp;ei=23U9U9nSDsuksQTX7YCQAw&amp;ved=0CGwQ6AEwBw#v=onepage&amp;q=tftp%20source%20and%20destination%20ports&amp;f=false">book excerpt</A> for a more in-depth explanation:</P><P>&nbsp;</P> Thu, 03 Apr 2014 15:02:54 GMT https://community.cisco.com/t5/network-security/acl/m-p/2423607#M921900 Marvin Rhoads 2014-04-03T15:02:54Z