Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 138
  • Last Modified:

Cisco asa 5505 ACL for tftp server

I'm trying to setup a tftp acl on my asa5505. IOS 8.4.7
Internally it works fine.  Externally, not. If I try to do a copy running-config tftp, for instance, from an external ASA, the local tftp server software sees and creates an empty file on the tftp directory so it's getting through.  Then deletes it, tries and repeats 5 more times before showing timeout error. I don't run tftp except when I'm updating something so it's on the outside interface and not a DMZ.  

Code is below.

object network Open-TFTP
 host 192.168.8.99
access-list OutToInTFTP extended permit udp any host 192.168.8.99 eq tftp
object network Open-TFTP
 nat (inside,outside) static interface service udp tftp tftp
access-group OutToInTFTP in interface outside
policy-map global_policy
 class inspection_default
 inspect tftp

Please advise what silly basic item I am overlooking?
0
David Bird
Asked:
David Bird
  • 2
1 Solution
 
ArneLoviusCommented:
The rule looks fine, but it is in isolation, so there may be something else causing the issue.

I would not run tftp over the internet, its a plain text protocol. I run rancid http://www.shrubbery.net/rancid/ to automatically collect configs, put them into source control and show me diffs between configs.
0
 
Pete LongTechnical ConsultantCommented:
Agreed, I have a firewall (5510) that I have in my DC that I TFTP to its setup the same as this and it works?
I use 3CDeamon

Here's the config lifted from working firewall

access-list inbound extended permit udp any object Internal_TFTP_Server eq tftp
access-group inbound in interface outside
!
object network Internal_TFTP_Server
 host 192.168.100.10
 nat (inside,outside) static interface service udp tftp tftp
!
policy-map global_policy
 class inspection_default
  inspect tftp
!


Pete
0
 
David BirdPartnerAuthor Commented:
There is/was something on the rights of my machine that prevents the file from writing.  The machine is multi-homed which may be the issue.  I just tried the TFTP on another machine and all worked.  Thank you for the help.
0
 
David BirdPartnerAuthor Commented:
Please see explanation to public.  All is good.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now