cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
171
Views
1
Helpful
2
Replies

please help me configure TFTP access-list on ASA for device management

suruchigupta555
Level 1
Level 1

I need help configuring a TFTP server access list to prevent attackers who acquire SNMP write privileges for obtaining device configuration information.

I have SNMP access list configured already. So it is not a problem. But I need to deal with TFTP.

1. Please guide me how to configure TFTP access-list on ASA for device management purpose. (not passing traffic)

2. I believe that ASA has only TFTP client function, not server. Is TFTP server functioning by default? If yes, how can I disable it?

I am using FPR2110, I'm bit new on this technology please help

2 Accepted Solutions

Accepted Solutions

control-plane ACL 

access-list TFTP deny tcp any any eq 69

direction IN 

this make ASA can connect to server but deny any attempt to connect tftp using tcp port 69

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

MHM

View solution in original post

Cisco ASA does not support TFTP server functionality, it can only act as a TFTP client, so I can't see the concern of having someone trying to connect to the ASA and download any data from it. If someone tries the ASA won't respond to the TFTP request as it doesn't have TFTP server capabilities.

A better general recommendation with SNMP would be to use SNMPv3 with both authentication and encryption rather than using v2.

View solution in original post

2 Replies 2

control-plane ACL 

access-list TFTP deny tcp any any eq 69

direction IN 

this make ASA can connect to server but deny any attempt to connect tftp using tcp port 69

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

MHM

Cisco ASA does not support TFTP server functionality, it can only act as a TFTP client, so I can't see the concern of having someone trying to connect to the ASA and download any data from it. If someone tries the ASA won't respond to the TFTP request as it doesn't have TFTP server capabilities.

A better general recommendation with SNMP would be to use SNMPv3 with both authentication and encryption rather than using v2.

Review Cisco Networking for a $25 gift card