02-25-2011 01:43 PM - edited 03-11-2019 12:57 PM
Hi,
I'm having issue with doing tftp to device behind the firewall (ASA) even though I have allow tftp from outside. Here is the message I see on the console.
ciscoasa/C2(config)#
ciscoasa/C2(config)#
ciscoasa/C2(config)# %ASA-6-302016: Teardown UDP connection 113 for Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes 80
%ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0 to Inside:1.1.4.2/64253 duration 0:02:19 bytes 0
%ASA-7-609002: Teardown local-host Outside:150.1.1.241 duration 0:06:04
Here is the message I see on the device where I'm trying to tftp
R2#copy flash: tftp:
Source filename []? IOSCA.ser
Address or name of remote host []? 150.1.1.241
Destination filename [IOSCA.ser]?
.....
%Error opening tftp://150.1.1.241/IOSCA.ser (Timed out)
R2#
Here is my ACL on ASA applied to outside interface
ciscoasa/C2# sh run acc
ciscoasa/C2# sh run access-l
ciscoasa/C2# sh run access-list out
access-list out extended permit icmp any any
access-list out extended permit esp host 1.1.6.3 host 1.1.4.2
access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq isakmp
access-list out extended permit udp host 150.1.1.241 host 1.1.4.2 eq tftp
access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq ntp
access-list out extended permit udp host 1.1.3.1 host 1.1.4.2 gt 33434
access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 gt 33434
access-list out extended permit udp host 1.1.6.4 host 1.1.4.2 eq isakmp
access-list out extended permit esp host 1.1.6.4 host 1.1.4.2
access-list out extended permit udp any host 1.1.4.2 eq tftp
Appreciate if someone can find the issue..
thanks
02-25-2011 01:49 PM
Do you have a NAT translation for 1.1.4.2?
02-25-2011 01:53 PM
Hi
Nope, its nat-control not enabled..
it works without firewall (bypassing asa)...
02-25-2011 01:57 PM
Does 150.1.1.241 have a route to the TFTP server? Are you seeing a deny in your logs?
02-25-2011 01:51 PM
You're tring to TFTP to a server behind the ASA....
The NAT address is 150.1.1.241?
You have a static NAT to allow inbound traffic to this host from the outside?
Then assuming the above IP is the static NAT IP, and the ACL out is assigned to the outside, you need:
access-list out extended permit udp any host 150.1.1.241 eq tftp
Hope it helps.
Federico.
02-25-2011 01:55 PM
You're trying to TFTP to 150.1.1.241 and I don't see it being permitted in the ACL.
Federico.
02-25-2011 01:58 PM
Hi,
firewall is not doing any NAT (no nat-control) and my ip 150.1.1.241 is the outside ip and my router where I need to do tftp it 1.1.4.2.
I have already allowed tftp from outside to 1.1.4.2 and also enabled inspection on tftp under global-policy...
02-25-2011 02:00 PM
yes, it has route to TFTP...have a look below
R2#copy flash: tftp:
Source filename []? IOSCA.ser
Address or name of remote host []? 150.1.1.241
Destination filename [IOSCA.ser]?
.....
%Error opening tftp://150.1.1.241/IOSCA.ser (Timed out)
R2#
R2#
R2#ping 150.1.1.241
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
R2#
02-25-2011 02:02 PM
I assume that the TFTP server logs doesn't show a connection attempt? Is there any info on the connection in the ASA logs? Can you try a packet tracer and see where it is failing?
02-25-2011 02:47 PM
Hi Colin/Fedarico,
thanks a lot for both of your responses.. However I was in hurry to change the topology and I have already did the write erase..anyway its a good tool which I fortoton to check..but surly on my next try I will do and let you both know the update..
02-25-2011 02:02 PM
packet-tracer input outside udp 150.1.1.241 1025 1.1.4.2 69 det
The above should show if an inbound TFTP connection between those IPs is allowed and succesful.
Federico.
02-25-2011 02:50 PM
Going over the thread Collin was correct from the start.
Just let us know when you need assistance :-)
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide