06-24-2022 08:14 AM
Hi there
I wonder if anyone can help....
I have a Cisco ASA 5506-X running "disk0:/asa9-12-1-2-lfbff-k8.SPA" configured and all seems to be working through the firewall and I am even able to manage the firewall through the inside interface (that has known to be an issue on these units). However, I now find myself in a position where I am unable to copy a new image/File from a TFTP server on the inside I/F to Disk0: on the ASA and I dont know where I am going wrong.
I have a laptop with a TFTP server on it and its running and I have disbaled the firewall on the laptop, but if I try and ping or TFTP the device it fails. It looks like the traffic isnt leaving the ASA itself. This is also NOT a tftp-server sort of related question, its probably some sort of ACL issue based on packet tracer:-
Mildenhall-ASA# packet-tracer input inside_7 udp 192.168.1.1 tftp 192.168.1.10$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.100 using egress ifc inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside_7
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Mildenhall-ASA#
Any help would be welcome.
Kind Regards
Kevin
06-24-2022 09:31 AM - edited 06-24-2022 09:33 AM
Drop-reason: (acl-drop) Flow is denied by configured rule
this shows as deniend, since we do not have visibility hard to guess what is wrong here, may be we can say, there is no Rule allowing to do this task.
other hand if you looking for upgrade these FW do have USB, you can use that for upgrade.
check some example ACL :
06-27-2022 12:39 AM
Hi BB
thanks for your reply.
I ran:-
C:\Program Files (x86)\Nmap>netstat -a -n | findstr ":69"
C:\Program Files (x86)\Nmap>netsh advfirewall set allprofiles state off
Ok.
C:\Program Files (x86)\Nmap>netsh advfirewall show allprofiles state
Domain Profile Settings:
----------------------------------------------------------------------
State OFF
Private Profile Settings:
----------------------------------------------------------------------
State OFF
Public Profile Settings:
----------------------------------------------------------------------
State OFF
Ok.
C:\Program Files (x86)\Nmap>netstat -a -n | findstr ":69"
UDP 0.0.0.0:69 *:*
UDP [::]:69 *:*
C:\Program Files (x86)\Nmap>
and then ran:-
access-list ACL-OUT-INSIDE extended permit udp any 192.168.1.0 255.255.255.0 eq tftp
access-list ACL-OUT-INSIDE extended permit icmp any 192.168.1.0 255.255.255.0
access-group ACL-OUT-INSIDE out interface inside_7
access-group ACL-OUT-INSIDE out interface inside
However, when i then use;-
Mildenhall-ASA# ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Mildenhall-ASA#
&
Mildenhall-ASA# copy tftp: disk0:
Address or name of remote host []? 192.168.1.100
Source filename []? TestFile.txt
Destination filename [TestFile.txt]?
Accessing tftp://192.168.1.100/TestFile.txt...
WARNING: TFTP download incomplete!
%Error reading tftp://192.168.1.100/TestFile.txt (Timed out attempting to connect)
Mildenhall-ASA#
What i can see is that the ASA doesn't register a log incident trying to get the TestFile.txt from the laptop.
I do get your point that i can do this via the USB or indeed i can also use ADSM, but Im stubborn and old school and want to know why I cant do it via CLI. What is it that I am doing wrong i wander....
Kind Regards
KJ
06-26-2022 01:48 PM
Remember that packet-tracer is to simulate a packet passing through the ASA and not to the ASA (to the box), which is why you are seeing a drop in the packet-tracer.
06-27-2022 12:45 AM
Hi Marius
To answer your questions:-
06-27-2022 02:42 PM
I think this might be a limitation in the ASA BVI implementation. It could have something to do with the interface that is sourcing the tftp request, I do not think that the BVI interface is being used but rather the physical interface.
06-27-2022 02:50 PM
Hi Marius
Now there's a surprise....!!!
Its exactly what i thought was going on quite frankly. You can put an ACL in for anything going through the device, but when the device is the actual source, which address does it use. It should use the closes I/F to the outgoing traffic or is should route between the BVI interface (inside, inside_1 etc..) and whatever address it thinks its using (I'm thinking loop-back address / management address).
Kind Regards
KJ
06-27-2022 11:37 PM
I had similar issues a few years ago when I was trying to manage a temporary ASA5506 with BVI configured over a VPN tunnel. The issue was that we were not able to specify the BVI interface name in management-access command. So we ended up accessing it via the outside interface.
As mentioned I suspect that a similar issue is happening with TFTP (and ping for that matter). Fore ping, you could try to configure "icmp permit any <interface name>" but I am not aware of any command that we can use to specify the source interface for TFTP.
06-27-2022 11:47 PM
Hi Marius
Yeah i tried the ACL with the interface as inside and inside_7 and that still doesn't work.
This one is one of those types of annoying little Cisco nuances that makes me not a fan of them. Im not an ABC (Anything But Cisco), but you do have to wonder how they are such a market leader with kit that is so hard to make work, with all these nuances and then they are so expensive as well to boot.
06-28-2022 12:09 AM
my view on it is that Cisco was going to replace the ASA5505 with the ASA5506. originally the 5506 did not support switched ports, but there was such a demand for it that they had to implement BVI for the 5506. Unfortunately it seems like there are some issues with regard to sourcing interface as we are seeing. I am not sure if this BVI solution for the ASA5506 was meant to be a permanent solution or temporary until clients acquired a separate switch.
06-28-2022 12:22 AM
Hi Marius
That's more or less what i am finding with the 5506-X, especially when you are talking about traffic sourced from the unit or as the termination point.
Adding a switch externally still wouldn't solve this issue, as the source of the traffic would still be the ASA, you would be just moving the termination point from a laptop on the BVI to a laptop on a switch still connected to the BVI. Cisco should have though this one through a bit more and/or at the very least released a patch/feature release that would have addressed these issues with the BVI. I clearly am not a pioneer here in what I am trying to achieve...!!!
Thanks for your help though. I needed a sanity check on what i was doing.
KJ
06-28-2022 12:30 AM
Actually adding a switch externally will solve the issue, because then you can remove the BVI configuration and move the IP to the physical interface on the ASA. Remember that the BVI configuration is just so that the ASA's ports can be used in a switch-like manner. But yes, I agree that this could have been thought through better and should have been solved by now as this has been in circulation for quite some time now.
06-28-2022 01:26 AM
Ahhhh I got you.
But would you have to just strip away some of the config a bit or actually go as far as removing the BVI interface as well...
06-28-2022 01:46 AM
That depends, You would need to remove the IP from the BVI if you want to continue using that IP / Subnet. Otherwise you can define a new IP / subnet and assign that to one of the physical interfaces and then use that to manage the ASA.
Unless, you intend to use the ASA as a "switch", I would suggest removing the BVI configuration completely.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide