Solved: TFTP files via dynamic VPN tunnel not working

AFlack20 · ‎06-15-2020

I'm trying to tftp files from a ASA 5506 (dynamic side) via a dynamic-to-static IKEv1/IPsec tunnel to a 5515X ASA (static side) to back up the running config or send an updated version.

Tunnel is up and I have full reach-ability to all the networks accross the tunnel via the inside interface.

The problem is I cannot get tftp (or ftp for that matter) working across the tunnel. I've tried to get a packet capture of the the interesting traffic using an ACL to identify the interesting traffic on the dynamic side, but the capture isn't matching any of the traffic on either the inside or outside interfaces of the remote ASA, but I have tested and captured packets with this same acl configuration on the local asa capturing the tftp traffic to the server via the inside interface.

I was having the same issue with my site-to-site vpn until i added the following command;

tftp-server inside 192.168.X.X C:/

But when I issued that same command on the dynamic asa of the dynamic-to-static VPN it didn't resolve the problem.

Any suggestions would be greatly appreciated.

Thanks!

Edit:

And yes I have my turned off the firewall on this pc running the tftp/ftp server

AFlack20 · ‎07-06-2020

To anyone who may be looking to resolve a similar issue, I've come to an acceptable solution with the help of Cisco TAC. According to TAC TFTP/FTP to a remote firewall over a dynamic tunnel is not possible. Nowhere was this clearly stated in any Cisco ASA documentation that I've come across.

Irregardless I still needed a way to update these remote ASA's to the latest iOS and Asdm images. Apparently there is a tool within the Asdm that will allow this to happen. Under the tools menu in asdm, there is the option to "Upgrade Software from Local Computer..." Once you launch the wizard it's pretty straight forward from there.

The caveat to this is you do need to have compatible versions of the iOS and Asdm running in-order for this to work. Check the compatibility matrix here https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html to see if your current config will support this. Otherwise you will either need physical access to the device or walk the remote user through the procedure of upgrading to compatible versions, as I had to.

I just wish that this information was more publicly available from Cisco, and that the next person with this problem finds this post early on, to avoid the headaches of trying to get TFTP/FTP working over a remote tunnel. One last rhetorical question is why is this only possible to do with the Asdm, what would be the cli command line equivalent be?!? For those of us who were taught (whether it be right or wrong), to never use the GUI...

View solution in original post

AFlack20 · ‎06-16-2020

The following is my configuration of my access list for capture on the remote asa

access-list CAPTURE extended permit tcp any4 host 192.168.252.249 eq ftp

capture FTP_CAPTURE access-list CAPTURE interface INSIDE

But the capture doesn't contain any data and so just for kicks I then changed the capture, to capture from the outside and still didn't capture any data.

no capture FTP_CAPTURE

capture FTP_CAPTURE access-list CAPTURE interface OUTSIDE

I don't expect to see anything sourced from the outside interface as ftp, because it should be encapsulated in the VPN tunnel by that point.

Remote-ASA(config)# copy run ftp://******:*********@192.168.252.249/

Source filename [running-config]?

Address or name of remote host [192.168.252.249]?

Destination username [******]?

Destination password [*********]?

Destination filename [running-config]?
Cryptochecksum: 5d1a31f3 b58bed00 41196ed9 a9742361

%Error opening ftp://******:*********@192.168.252.249/running-config (Permission denied)
Remote-ASA(config)# show capture
capture FTP_CAPTURE type raw-data access-list CAPTURE interface OUTSIDE [Capturing - 0 bytes]
Remote-ASA(config)#

AFlack20 · ‎06-17-2020

Found this old post https://community.cisco.com/t5/network-security/upgrade-asa-over-vpn-via-inside-interface/td-p/2085072

suggesting the following command

copy tftp://1.1.1.1/filename.bin;int=inside flash:

but as you can see below this didn't work either.

Remote-ASAS# copy tftp://192.168.252.206/asa984-22-lfbff-k8.SPA;int=inside flash:

Address or name of remote host [192.168.252.206]?

Source filename [asa984-22-lfbff-k8.SPA]?

Destination filename [asa984-22-lfbff-k8.SPA]?

Accessing tftp://192.168.252.206/asa984-22-lfbff-k8.SPA;int=inside...Unable to reach server 192.168.252.206
%Error opening tftp://192.168.252.206/asa984-22-lfbff-k8.SPA;int=inside (Network is unreachable)
Remote-ASA# ping inside 192.168.252.206
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.252.206, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms

Deepak Kumar · ‎06-18-2020

Hi,

You had configured ACL for the FTP traffic, not for the TFTP. TFTP server is using port 69 UDP.

Also, I can see the permission denied means you don't have read & write access.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

AFlack20 · ‎06-18-2020

@Deepak Kumar

My apologies, I should have mentioned that at that point I was only trying to capture the FTP traffic. The output below shows the modified access-list which is intended to capture both the TFTP and FTP traffic.

Remote-ASA(config)# show access-list CAPTURE
access-list CAPTURE; 2 elements; name hash: 0x8f8d404f
access-list CAPTURE line 1 extended permit udp any4 host 192.168.252.206 eq tftp (hitcnt=0) 0x428bc282
access-list CAPTURE line 2 extended permit tcp any4 host 192.168.252.206 eq ftp (hitcnt=0) 0x558922fe
Remote-ASA(config)# show capture
capture FTP_CAPTURE type raw-data access-list CAPTURE interface OUTSIDE [Capturing - 0 bytes]
Remote-ASA(config)# copy run ftp://******:*********@192.168.252.206/

Source filename [running-config]?

Address or name of remote host [192.168.252.206]?

Destination username [******]?

Destination password [*********]?

Destination filename [running-config]?
Cryptochecksum: 72a19c2d bbf87f52 ea63761c 523f4a88

%Error opening ftp://******:*********@192.168.252.206/running-config (Permission denied)
Remote-ASA(config)# copy run tftp://192.168.252.206/;int=INSIDE

Source filename [running-config]?

Address or name of remote host [192.168.252.206]?

Destination filename []? running-config
Cryptochecksum: 72a19c2d bbf87f52 ea63761c 523f4a88

%Error writing tftp://192.168.252.206/running-config;int=INSIDE (Timed out attempting to connect)

Remote-ASA(config)# show capture
capture FTP_CAPTURE type raw-data access-list CAPTURE interface OUTSIDE [Capturing - 0 bytes]

Remote-ASA(config)# ping INSIDE 192.168.252.206
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.252.206, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

With the following output you can see that I am able to copy to the FTP server from the local asa, and I've included is a screen shot showing that I have enabled read + write access on the FTP server (BTW I'm using the FileZilla as my FTP server).

Local-ASA# copy run ftp://******:*********@192.168.252.206/

Source filename [running-config]?

Address or name of remote host [192.168.252.206]?

Destination username [******]?

Destination password [*********]?

Destination filename [running-config]?
Cryptochecksum: e35432ca 380fba0b 4d4e8b23 3a0d0222

16925 bytes copied in 0.820 secs

AFlack20 · ‎07-06-2020

To anyone who may be looking to resolve a similar issue, I've come to an acceptable solution with the help of Cisco TAC. According to TAC TFTP/FTP to a remote firewall over a dynamic tunnel is not possible. Nowhere was this clearly stated in any Cisco ASA documentation that I've come across.

Irregardless I still needed a way to update these remote ASA's to the latest iOS and Asdm images. Apparently there is a tool within the Asdm that will allow this to happen. Under the tools menu in asdm, there is the option to "Upgrade Software from Local Computer..." Once you launch the wizard it's pretty straight forward from there.

The caveat to this is you do need to have compatible versions of the iOS and Asdm running in-order for this to work. Check the compatibility matrix here https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html to see if your current config will support this. Otherwise you will either need physical access to the device or walk the remote user through the procedure of upgrading to compatible versions, as I had to.

I just wish that this information was more publicly available from Cisco, and that the next person with this problem finds this post early on, to avoid the headaches of trying to get TFTP/FTP working over a remote tunnel. One last rhetorical question is why is this only possible to do with the Asdm, what would be the cli command line equivalent be?!? For those of us who were taught (whether it be right or wrong), to never use the GUI...