03-10-2015 01:56 PM - edited 03-11-2019 10:37 PM
I have moderate skills with 5500 series ASAs, so please read what I have tried before spending the time to respond. The ASA that this is regarding is running 8.2(4), and I do not run ASDM. Also, I'm attempting to upgrade these dinosaurs to more modern code. We have a ton of customized WebVPN content that I need to export--and I don't want to spend days copying and pasting from putty.
The organization I'm with now implemented their ASAs with the "inside" interface (security level 100) also being used as the management interface. I am trying to upload information from the inside interface to various hosts (for management, etc), but get "%Error writing tftp://x.x.x.x/filename (Access violation)" message every time. I've tried writable HTTP/FTP/TFTP and all result in the same error.I have absolutely verified that this is not an HTTP/FTP/TFTP server problem! This is a policy violation problem from the ASA itself.
I have created an access list similar to the following:
ASA-01(config)# access-list asa-to-inside extended permit ip host <inside interface IP> any
Also, have done the management-access inside
Can anyone help me figure out what I'm doing wrong? The bureaucracy around here prevents me from having a proper management cable run and connected to a security level 0 management interface.
03-10-2015 02:57 PM
On 7.1 there is a option in the asdm, where TFTP access is controlled. i.e. where a TFTP server can be configured. Device management>Management Access>TFTP client. have you configured this?
03-10-2015 05:18 PM
I'm on 8.2(4) and not using ASDM.
03-10-2015 06:47 PM
Please don't bite my head off but are you absolutely sure that the TFTP server is okay.
As far as I know the ASA doesn't care where you tftp from and you certainly don't need an acl because that only controls traffic through the ASA not from it.
Have you tried creating the filename on the TFTP server and making sure the permissions are correct ?
Like I say, I appreciate what you are saying but I can't think of anything on the ASA you have to modify to get this working.
Jon
03-10-2015 05:21 PM
Also, I've tried the equivalent in CLI, this yields the same results. It seems that the inside interface does not want to allow this traffic, even though I've opened it up via ACL.
03-10-2015 05:22 PM
Also, I've tried the equivalent in CLI, this yields the same results. It seems that the inside interface does not want to allow this traffic, even though I've opened it up via ACL.
03-10-2015 05:22 PM
Also, I've tried the equivalent in CLI, this yields the same results. It seems that the inside interface does not want to allow this traffic, even though I've opened it up via ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide