09-13-2024 06:26 AM
I need help configuring a TFTP server access list to prevent attackers who acquire SNMP write privileges for obtaining device configuration information.
I have SNMP access list configured already. So it is not a problem. But I need to deal with TFTP.
1. Please guide me how to configure TFTP access-list on ASA for device management purpose. (not passing traffic)
2. I believe that ASA has only TFTP client function, not server. Is TFTP server functioning by default? If yes, how can I disable it?
I am using FPR2110, I'm bit new on this technology please help
Solved! Go to Solution.
09-13-2024 07:35 AM - edited 09-13-2024 07:35 AM
control-plane ACL
access-list TFTP deny tcp any any eq 69
direction IN
this make ASA can connect to server but deny any attempt to connect tftp using tcp port 69
MHM
09-13-2024 08:56 AM
Cisco ASA does not support TFTP server functionality, it can only act as a TFTP client, so I can't see the concern of having someone trying to connect to the ASA and download any data from it. If someone tries the ASA won't respond to the TFTP request as it doesn't have TFTP server capabilities.
A better general recommendation with SNMP would be to use SNMPv3 with both authentication and encryption rather than using v2.
09-13-2024 07:35 AM - edited 09-13-2024 07:35 AM
control-plane ACL
access-list TFTP deny tcp any any eq 69
direction IN
this make ASA can connect to server but deny any attempt to connect tftp using tcp port 69
MHM
09-13-2024 08:56 AM
Cisco ASA does not support TFTP server functionality, it can only act as a TFTP client, so I can't see the concern of having someone trying to connect to the ASA and download any data from it. If someone tries the ASA won't respond to the TFTP request as it doesn't have TFTP server capabilities.
A better general recommendation with SNMP would be to use SNMPv3 with both authentication and encryption rather than using v2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide