Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
0
Helpful
6
Replies

TFTP From INSIDE Interface (which is also being used as management)

csimpson78701
Level 1
Level 1

‎03-10-2015 01:56 PM - edited ‎03-11-2019 10:37 PM

I have moderate skills with 5500 series ASAs, so please read what I have tried before spending the time to respond. The ASA that this is regarding is running 8.2(4), and I do not run ASDM. Also, I'm attempting to upgrade these dinosaurs to more modern code. We have a ton of customized WebVPN content that I need to export--and I don't want to spend days copying and pasting from putty.  

The organization I'm with now implemented their ASAs with the "inside" interface (security level 100) also being used as the management interface. I am trying to upload information from the inside interface to various hosts (for management, etc), but get "%Error writing tftp://x.x.x.x/filename (Access violation)" message every time. I've tried writable HTTP/FTP/TFTP and all result in the same error.I have absolutely verified that this is not an HTTP/FTP/TFTP server problem! This is a policy violation problem from the ASA itself.

I have created an access list similar to the following:

ASA-01(config)# access-list asa-to-inside extended permit ip host <inside interface IP> any

Also, have done the management-access inside 

Can anyone help me figure out what I'm doing wrong? The bureaucracy around here prevents me from having a proper management cable run and connected to a security level 0 management interface. 

 

 

Labels:
0 Helpful
6 Replies 6

Dennis Mink
VIP Alumni
VIP Alumni

‎03-10-2015 02:57 PM

On 7.1 there is a option in the asdm, where TFTP access is controlled. i.e. where a TFTP server can be configured. Device management>Management Access>TFTP client. have you configured this?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

csimpson78701
Level 1
Level 1
In response to Dennis Mink

‎03-10-2015 05:18 PM

I'm on 8.2(4) and not using ASDM. 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to csimpson78701

‎03-10-2015 06:47 PM

Please don't bite my head off but are you absolutely sure that the TFTP server is okay.

As far as I know the ASA doesn't care where you tftp from and you certainly don't need an acl because that only controls traffic through the ASA not from it.

Have you tried creating the filename on the TFTP server and making sure the permissions are correct ?

Like I say, I appreciate what you are saying but I can't think of anything on the ASA you have to modify to get this working.

Jon

0 Helpful

csimpson78701
Level 1
Level 1
In response to Dennis Mink

‎03-10-2015 05:21 PM

Also, I've tried the equivalent in CLI, this yields the same results. It seems that the inside interface does not want to allow this traffic, even though I've opened it up via ACL. 

 

0 Helpful

csimpson78701
Level 1
Level 1
In response to Dennis Mink

‎03-10-2015 05:22 PM

Also, I've tried the equivalent in CLI, this yields the same results. It seems that the inside interface does not want to allow this traffic, even though I've opened it up via ACL. 

 

0 Helpful

csimpson78701
Level 1
Level 1
In response to Dennis Mink

‎03-10-2015 05:22 PM

Also, I've tried the equivalent in CLI, this yields the same results. It seems that the inside interface does not want to allow this traffic, even though I've opened it up via ACL. 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card