Re: tftp blocking on asa5510

jschweng · ‎02-07-2011

we have a network manager inside and a ris server outside of an asa

5510 firewall running ios version asa823-k8.bin

We have a rule on both the inside and outside interfaces allowing tftp through.

When tftp is initiated from the Netmager on hte inside the firewall allows out to the RIS server on destination port 69 and a ramdon source port.

The return traffic goes back to the Netmanager the destination port is the random source port that the NEtman Used and the Firewall blocks the traffic.

If I allow all UDP in its works fine.

shouldn't the firewall open up the ports to allow the traffic back in?

Am I missing something/

PAUL GILBERT ARIAS · ‎02-07-2011

you are right. The return traffic of the original connection should be allow back in. Have you checked the logs or applied captures to see what is going on?

jschweng · ‎02-07-2011

Yes Ive checked the log - its dropping the incoming packets sent back to the Netman on the Random port it sends on.

I found this post relative to PIX and it referred to a command "fixup protocol tftp" which I see as an option on my ASA's.

Any idea is this should be enabled on our ASA's to pass tftp traffic?

**************

The situation becomes more complicated if it is necessary to provide the clients’ access from the protected network to the external TFTP server.

Requesting the file, the client sends TFTP RRQ packet from a random UDP port to UDP 69 port of the TFTP server. As far as the packet is being sent from more protected network to the less protected one, firewall sends it to TFTP server. Transmitting the file, firewall adds to the table of translation a record that corresponds to the connection on UDP protocol between the chosen client’s port and port 69 of TFTP server. According to RFC 1350, the server sends to the client (from a random port) DATA TFTP packet. However, firewall rejects this packet because it cannot find the existing connection between the chosen server port and the client’s port in the table of translation.

Devices, like Cisco PIX, can review the passing TFTP traffic and dynamically add to the table of translation records, allowing TFTP answers to pass from the external network to the enterprise network. To enable this mode in Cisco PIX firewall there is a command fixup protocol tftp.

PAUL GILBERT ARIAS · ‎02-07-2011

you need the inspect TFTP. Please read the following:

"The security appliance inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server"

Here is the link for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/i2_711.html#wp1639081

jschweng · ‎02-07-2011

We have global policy which is the default right out of the box.

policy-map global-policy

class inspection_default

x

inspect tftp

class class_tftpt

inspect tftp

class class_tftp1

inspect tftp

service-policy global_policy global

PAUL GILBERT ARIAS · ‎02-07-2011

what does those 2 additional class maps contain?

Can you send the sh run class-map

jschweng · ‎02-07-2011

# show run class-map

class-map class_tftp1

match port udp range 1 1023

class-map class_tftp

match port udp range 1.24 65535

class-map inspection_default

match default-inspection-traffic

PAUL GILBERT ARIAS · ‎02-07-2011

I don't think you need those two class maps in your policy map, the default inspect tftp should handle the traffic. If you can test removing that it would be great.

the traffic should be allowed back succesfully.

jschweng · ‎02-07-2011

ok thanks I'll try that tomorrow and get back - most appreciated

jschweng · ‎02-08-2011

I removed the other tftp class-maps and its still blocking the traffic. If i allow back in udp ports 1024-655xx then it works ok.

Is there anything that you have to do different to allow tftp return traffic?