cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5719
Views
0
Helpful
4
Replies

Cisco ACL how to allow TFTP

tedauction
Beginner
Beginner

Hello, can someone please confirm how to create an ACL to allow TFTP in both directions on an ACL from host 10.21.8.1 to any TFTP server in 10.0.0.0/8.

I have the following on my outbound ACL:

permit udp host 10.21.8.1 10.0.0.0 0.0.0.255 eq tftp

What would I put on my inbound ACL to allow TFTP back in ?

Thank you kindly.

4 Replies 4

Reza Sharifi
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hi,

The access list should apply to the source interface as inbound (in).  Also, use the exact IP of the tftp server.

permit udp 10.21.8.1 host 10.10.10.10 eq tftp

in this example 10.10.10.10. is the IP address of the tftp server.

HTH

Thank you.

But how about the return traffic ?

What if I only wanted to allow TFTP return traffic ?

If the source is 10.21.8.1 (SVI L3) than you can apply the access list inbound to it as in

ip access-list extended test

permit udp 10.21.8.1 host 10.10.10.10 eq tftp

than apply it to interface as in

int vlan 3

ip access-group test in

and test connectivity.

HTH

Julio E. Moisa
VIP Mentor VIP Mentor
VIP Mentor

Hi

As Reza mentioned, here the sintaxis of an extended named ACL

If you are going to use named:

Ip access-list extended OUTBOUND
permit <protocol> <source host or subnet> <wildcard> <source port /ports> <destination host or subnet> <wildcard> <destination port/ports>

permit udp host 10.21.8.1 10.0.0.0 0.0.0.255 eq tftp  or 69

interface gX/Y
ip access-group OUTBOUND out

For inbound traffic, is similar

Ip access-list extended INBOUND
permit <protocol> <source host or subnet> <wildcard> <source port /ports> <destination host or subnet> <wildcard> <destination port/ports>

permit udp  10.0.0.0 0.0.0.255 eq tftp  or 69 host 10.21.8.1

interface gX/Y
ip access-group INBOUND in

at the end you will have. 

interface gX/Y or Interface vlan X
ip access-group INBOUND in
ip access-group OUTBOUND out

note: if the source or destination is going to use dynamic ports you can ommit the port on the ACL, like the example above.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers