ASA 5506-X - Cant TFTP a new image from a server on the inside I/F

Blacktip69 · ‎06-24-2022

Hi there

I wonder if anyone can help....

I have a Cisco ASA 5506-X running "disk0:/asa9-12-1-2-lfbff-k8.SPA" configured and all seems to be working through the firewall and I am even able to manage the firewall through the inside interface (that has known to be an issue on these units). However, I now find myself in a position where I am unable to copy a new image/File from a TFTP server on the inside I/F to Disk0: on the ASA and I dont know where I am going wrong.

I have a laptop with a TFTP server on it and its running and I have disbaled the firewall on the laptop, but if I try and ping or TFTP the device it fails. It looks like the traffic isnt leaving the ASA itself. This is also NOT a tftp-server sort of related question, its probably some sort of ACL issue based on packet tracer:-

Mildenhall-ASA# packet-tracer input inside_7 udp 192.168.1.1 tftp 192.168.1.10$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.100 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside_7
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Mildenhall-ASA#

Any help would be welcome.

Kind Regards

Kevin

balaji.bandi · ‎06-24-2022

Drop-reason: (acl-drop) Flow is denied by configured rule

this shows as deniend, since we do not have visibility hard to guess what is wrong here, may be we can say, there is no Rule allowing to do this task.

other hand if you looking for upgrade these FW do have USB, you can use that for upgrade.

check some example ACL :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113110-asa-enable-ftp-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Blacktip69 · ‎06-27-2022

Hi BB

thanks for your reply.

I ran:-

C:\Program Files (x86)\Nmap>netstat -a -n | findstr ":69"

C:\Program Files (x86)\Nmap>netsh advfirewall set allprofiles state off
Ok.

C:\Program Files (x86)\Nmap>netsh advfirewall show allprofiles state

Domain Profile Settings:
----------------------------------------------------------------------
State OFF

Private Profile Settings:
----------------------------------------------------------------------
State OFF

Public Profile Settings:
----------------------------------------------------------------------
State OFF
Ok.

C:\Program Files (x86)\Nmap>netstat -a -n | findstr ":69"
UDP 0.0.0.0:69 *:*
UDP [::]:69 *:*

C:\Program Files (x86)\Nmap>

and then ran:-

access-list ACL-OUT-INSIDE extended permit udp any 192.168.1.0 255.255.255.0 eq tftp
access-list ACL-OUT-INSIDE extended permit icmp any 192.168.1.0 255.255.255.0
access-group ACL-OUT-INSIDE out interface inside_7
access-group ACL-OUT-INSIDE out interface inside

However, when i then use;-

Mildenhall-ASA# ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Mildenhall-ASA#

&

Mildenhall-ASA# copy tftp: disk0:
Address or name of remote host []? 192.168.1.100

Source filename []? TestFile.txt

Destination filename [TestFile.txt]?

Accessing tftp://192.168.1.100/TestFile.txt...
WARNING: TFTP download incomplete!

%Error reading tftp://192.168.1.100/TestFile.txt (Timed out attempting to connect)
Mildenhall-ASA#

What i can see is that the ASA doesn't register a log incident trying to get the TestFile.txt from the laptop.

I do get your point that i can do this via the USB or indeed i can also use ADSM, but Im stubborn and old school and want to know why I cant do it via CLI. What is it that I am doing wrong i wander....

Kind Regards

KJ

Marius Gunnerud · ‎06-26-2022

Remember that packet-tracer is to simulate a packet passing through the ASA and not to the ASA (to the box), which is why you are seeing a drop in the packet-tracer.

Are you able to access the internet from the TFTP server? Are able to access the internet from the subnet 192.168.1.xxx
Is the 192.168.1.xxx network a /24 subnet or something else?
If you issue the command show run icmp or show run | in icmp, do you see a command that starts something like icmp deny any inside or similar?
Do you have access to ASDM on the inside network? Using ASDM would be the easiest and fastest way of sorting out this file transfer issue.

--
Please remember to select a correct answer and rate helpful posts

Blacktip69 · ‎06-27-2022

Hi Marius

To answer your questions:-

Are you able to access the internet from the TFTP server? Yes, this is my laptop and i have configured this on the inside I/F (BVI1)
Are able to access the internet from the subnet 192.168.1.xxx? Yes, that's the inside BVI network address.
Is the 192.168.1.xxx network a /24 subnet or something else? The 192.168.1.0/24 is the inside BVI network address
If you issue the command show run icmp or show run | in icmp, do you see a command that starts something like icmp deny any inside or similar? No, i dont see any deny's
Do you have access to ASDM on the inside network? Yes, ASDM works fine to manage the unit.
Using ASDM would be the easiest and fastest way of sorting out this file transfer issue. I get that, but like i mentioned in the other response, Im stubborn and old school and want to know why I cant do it via CLI.

Marius Gunnerud · ‎06-27-2022

I think this might be a limitation in the ASA BVI implementation. It could have something to do with the interface that is sourcing the tftp request, I do not think that the BVI interface is being used but rather the physical interface.

--
Please remember to select a correct answer and rate helpful posts

Blacktip69 · ‎06-27-2022

Hi Marius

Now there's a surprise....!!!

Its exactly what i thought was going on quite frankly. You can put an ACL in for anything going through the device, but when the device is the actual source, which address does it use. It should use the closes I/F to the outgoing traffic or is should route between the BVI interface (inside, inside_1 etc..) and whatever address it thinks its using (I'm thinking loop-back address / management address).

Kind Regards

KJ

Marius Gunnerud · ‎06-27-2022

I had similar issues a few years ago when I was trying to manage a temporary ASA5506 with BVI configured over a VPN tunnel. The issue was that we were not able to specify the BVI interface name in management-access command. So we ended up accessing it via the outside interface.

As mentioned I suspect that a similar issue is happening with TFTP (and ping for that matter). Fore ping, you could try to configure "icmp permit any <interface name>" but I am not aware of any command that we can use to specify the source interface for TFTP.

--
Please remember to select a correct answer and rate helpful posts

Blacktip69 · ‎06-27-2022

Hi Marius

Yeah i tried the ACL with the interface as inside and inside_7 and that still doesn't work.

This one is one of those types of annoying little Cisco nuances that makes me not a fan of them. Im not an ABC (Anything But Cisco), but you do have to wonder how they are such a market leader with kit that is so hard to make work, with all these nuances and then they are so expensive as well to boot.

Marius Gunnerud · ‎06-28-2022

my view on it is that Cisco was going to replace the ASA5505 with the ASA5506. originally the 5506 did not support switched ports, but there was such a demand for it that they had to implement BVI for the 5506. Unfortunately it seems like there are some issues with regard to sourcing interface as we are seeing. I am not sure if this BVI solution for the ASA5506 was meant to be a permanent solution or temporary until clients acquired a separate switch.

--
Please remember to select a correct answer and rate helpful posts

Blacktip69 · ‎06-28-2022

Hi Marius

That's more or less what i am finding with the 5506-X, especially when you are talking about traffic sourced from the unit or as the termination point.

Adding a switch externally still wouldn't solve this issue, as the source of the traffic would still be the ASA, you would be just moving the termination point from a laptop on the BVI to a laptop on a switch still connected to the BVI. Cisco should have though this one through a bit more and/or at the very least released a patch/feature release that would have addressed these issues with the BVI. I clearly am not a pioneer here in what I am trying to achieve...!!!

Thanks for your help though. I needed a sanity check on what i was doing.

KJ

Marius Gunnerud · ‎06-28-2022

Actually adding a switch externally will solve the issue, because then you can remove the BVI configuration and move the IP to the physical interface on the ASA. Remember that the BVI configuration is just so that the ASA's ports can be used in a switch-like manner. But yes, I agree that this could have been thought through better and should have been solved by now as this has been in circulation for quite some time now.

--
Please remember to select a correct answer and rate helpful posts

Blacktip69 · ‎06-28-2022

Ahhhh I got you.

But would you have to just strip away some of the config a bit or actually go as far as removing the BVI interface as well...

Marius Gunnerud · ‎06-28-2022

That depends, You would need to remove the IP from the BVI if you want to continue using that IP / Subnet. Otherwise you can define a new IP / subnet and assign that to one of the physical interfaces and then use that to manage the ASA.

Unless, you intend to use the ASA as a "switch", I would suggest removing the BVI configuration completely.

--
Please remember to select a correct answer and rate helpful posts