tftp fails from Cisco ASA to Red Hat Linux Server

HI,

I have a Cisco ASA 5520 running 8.4(2).  I am trying to tftp the running config to a RHEL server.  The tftp software is up and running, as another ASA can send it's config right to it.  SELinux is not on, nor is iptables.  I have checked the permissions, and they are set to 777 on the directory as well as the file.  The file exists as I touched it first.  The ASA can ping the RHEL server, and the RHEL server can ping the ASA.  I checked the intermediary firewall between the boxes, and I see no failures at all.  Any ideas ?

Thanks in advance
Elemental12Asked:
Who is Participating?
 
shukalo83Connect With a Mentor Commented:
I would not agree with this: "so if you do not see an entry in the tracker, that means it passed"
If you do not see an entry it means that packet has passed OR that he'd never got to the firewall in the first place. So which was it?  That's way I would like you to make new rule.

 
0
 
John MeggersNetwork ArchitectCommented:
What message are you getting?  I would have guessed permissions but you've already checked that.
0
 
shukalo83Commented:
Ping is another thing from tftp so doublecheck firewall rules.

Also check /etc/hosts.allow because it xinetd and it is ancient. :)
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
Elemental12Author Commented:
The error is

Error writing tftp://IPADDRESS/FILENAME;int=private (TImed out attempting to connect).

Pinging works in both directions.  Hosts.allow file is empty, it does not have the ASA that is not working, nor does it have the ASA that is working.

This server has a Natted IP address of an old server that used to work fine with TFTP.  So there should not be any firewall rules to change because this new server, in essence has the NAT IP of the old server.

IE, original server was 1.1.1.1, new server is 1.1.1.2.  So we Nated that anything out of 1.1.1.2 look like 1.1.1.1, and anything to 1.1.1.1, send it to 1.1.1.2

Thanks
0
 
shukalo83Commented:
OK. If the server is OK and we assume it is because other ASAs work, that still leaves us with a few places where things might have gone wrong.

Now, I suspect that NAT. On what kind of device was it configured?
Check this if it is ASA or PIX http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml#maintask2

Also please check this http://www.winagents.com/en/solutions/tftp-over-firewall.php

Probably, ASA that do work do not pass through some firewall or NAT.

Also, try issue inspect tftp on every relevant cisco device.
0
 
Elemental12Author Commented:
The old server was a physical RHEL box.  THe new one is a RHEL VM.  The ASA does not do the natting.  I have a checkpoint firewall that is the default gateway for the ASA as well as the RHEL machines, and it is the one doing the natting.  

I will take a look at your two URLs, but if anyone else has ideas, please let me know...
0
 
shukalo83Commented:
Do you have any logs in Checkpoint SmartView Tracker? Try to have one exact rule with tftp and to log it.
Use Tracker to find the log and to see is there any problems. Do other ASAs (that do work) go through checkpoint?
0
 
Elemental12Author Commented:
yup, they all go through the check point.  I log all failures, and I am seeing nothing show up in the tracker when I attempt the TFTP. Weird thing is, I get like 5 !!!!!! before it says timed out.
0
 
shukalo83Commented:
I don't get this "I log all failures". Where do you log failures?

If there is a log rule you will see it. So try to make one. Be carfull not to put your new rule somewhere behind some other rule that is not logged. So make th rule like this and put it somewhere high enough in checkpoint stack of rules.

source:ASA destination:internal address of tftp server (objects real address) accept and log.
0
 
Elemental12Author Commented:
On the checkpoint firewall, you can choose to log accepts and denies or not to log them.  I log all failures, so if you do not see an entry in the tracker, that means it passed.  

I am not seeing any failures in the firewall meaning that traffic is traversing the firewall without being blocked/denied.
0
 
Elemental12Author Commented:
You are correct that it could also mean that the traffic is not getting to the firewall in the first place, except that ping is working, which would make me thing that the route is ok.  Going to work on making a rule for this.
0
 
Elemental12Connect With a Mentor Author Commented:
I've requested that this question be deleted for the following reason:

turns out traffic was going out the wrong interface of the ASA.
0
 
shukalo83Commented:
It seems to me that my answer was correct so ...

At least helpful ;)
0
 
shukalo83Commented:
We lost a good deal of time to establish this fact. I would like elemental12 to reconsider giving me a few points for this.
I was suspecting this kind of problem and were going towards solution so...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.