Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2050
Views
0
Helpful
11
Replies

cant do TFTP from outside the firewall even with allowing tftp

pemasirid
Level 1
Level 1

‎02-25-2011 01:43 PM - edited ‎03-11-2019 12:57 PM

Hi,

I'm having issue with doing tftp to device behind the firewall (ASA) even though I have allow tftp from outside. Here is the message I see on the console.

ciscoasa/C2(config)#

ciscoasa/C2(config)#

ciscoasa/C2(config)# %ASA-6-302016: Teardown UDP connection 113 for Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes 80

%ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0 to Inside:1.1.4.2/64253 duration 0:02:19 bytes 0

%ASA-7-609002: Teardown local-host Outside:150.1.1.241 duration 0:06:04

Here is the message I see on the device where I'm trying to tftp

R2#copy flash: tftp:

Source filename []? IOSCA.ser

Address or name of remote host []? 150.1.1.241

Destination filename [IOSCA.ser]?

.....

%Error opening tftp://150.1.1.241/IOSCA.ser (Timed out)

R2#

Here is my ACL on ASA applied to outside interface

ciscoasa/C2# sh run acc

ciscoasa/C2# sh run access-l

ciscoasa/C2# sh run access-list out

access-list out extended permit icmp any any

access-list out extended permit esp host 1.1.6.3 host 1.1.4.2

access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq isakmp

access-list out extended permit udp host 150.1.1.241 host 1.1.4.2 eq tftp

access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq ntp

access-list out extended permit udp host 1.1.3.1 host 1.1.4.2 gt 33434

access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 gt 33434

access-list out extended permit udp host 1.1.6.4 host 1.1.4.2 eq isakmp

access-list out extended permit esp host 1.1.6.4 host 1.1.4.2

access-list out extended permit udp any host 1.1.4.2 eq tftp

Appreciate if someone can find the issue..

thanks

Labels:
0 Helpful
11 Replies 11

Collin Clark
VIP Alumni
VIP Alumni

‎02-25-2011 01:49 PM

Do you have a NAT translation for 1.1.4.2?

0 Helpful

pemasirid
Level 1
Level 1
In response to Collin Clark

‎02-25-2011 01:53 PM

Hi

Nope, its nat-control not enabled..

it works without firewall (bypassing asa)...

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to pemasirid

‎02-25-2011 01:57 PM

Does 150.1.1.241 have a route to the TFTP server? Are you seeing a deny in your logs?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-25-2011 01:51 PM

You're tring to TFTP to a server behind the ASA....

The NAT address is 150.1.1.241?

You have a static NAT to allow inbound traffic to this host from the outside?

Then assuming the above IP is the static NAT IP, and the ACL out is assigned to the outside, you need:

access-list out extended permit udp any host 150.1.1.241 eq tftp

Hope it helps.

Federico.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎02-25-2011 01:55 PM

You're trying to TFTP to 150.1.1.241 and I don't see it being permitted in the ACL.

Federico.

0 Helpful

pemasirid
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-25-2011 01:58 PM

Hi,

firewall is not doing any NAT (no nat-control) and my ip 150.1.1.241 is the outside ip and my router where I need to do tftp it 1.1.4.2.

I have already allowed tftp from outside to 1.1.4.2 and also enabled inspection on tftp under global-policy...

0 Helpful

pemasirid
Level 1
Level 1
In response to pemasirid

‎02-25-2011 02:00 PM

yes, it has route to TFTP...have a look below

R2#copy flash: tftp:

Source filename []? IOSCA.ser

Address or name of remote host []? 150.1.1.241

Destination filename [IOSCA.ser]?

.....

%Error opening tftp://150.1.1.241/IOSCA.ser (Timed out)

R2#

R2#

R2#ping 150.1.1.241

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.1.241, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

R2#

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to pemasirid

‎02-25-2011 02:02 PM

I assume that the TFTP server logs doesn't show a connection attempt? Is there any info on the connection in the ASA logs? Can you try a packet tracer and see where it is failing?

0 Helpful

pemasirid
Level 1
Level 1
In response to pemasirid

‎02-25-2011 02:47 PM

Hi Colin/Fedarico,

thanks a lot for both of your responses.. However I was in hurry to change the topology and I have already did the write erase..anyway its a good tool which I fortoton to check..but surly on my next try I will do and let you both know the update..

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to pemasirid

‎02-25-2011 02:02 PM

packet-tracer input outside udp 150.1.1.241 1025 1.1.4.2 69 det

The above should show if an inbound TFTP connection between those IPs is allowed and succesful.

Federico.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎02-25-2011 02:50 PM

Going over the thread Collin was correct from the start.

Just let us know when you need assistance :-)

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card