Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco asa 5505 ACL for tftp server

Posted on 2016-11-22
4
35 Views
Last Modified: 2016-12-02
I'm trying to setup a tftp acl on my asa5505. IOS 8.4.7
Internally it works fine.  Externally, not. If I try to do a copy running-config tftp, for instance, from an external ASA, the local tftp server software sees and creates an empty file on the tftp directory so it's getting through.  Then deletes it, tries and repeats 5 more times before showing timeout error. I don't run tftp except when I'm updating something so it's on the outside interface and not a DMZ.  

Code is below.

object network Open-TFTP
 host 192.168.8.99
access-list OutToInTFTP extended permit udp any host 192.168.8.99 eq tftp
object network Open-TFTP
 nat (inside,outside) static interface service udp tftp tftp
access-group OutToInTFTP in interface outside
policy-map global_policy
 class inspection_default
 inspect tftp

Please advise what silly basic item I am overlooking?
0
Comment
Question by:davebird
  • 2
4 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41899200
The rule looks fine, but it is in isolation, so there may be something else causing the issue.

I would not run tftp over the internet, its a plain text protocol. I run rancid http://www.shrubbery.net/rancid/ to automatically collect configs, put them into source control and show me diffs between configs.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41899328
Agreed, I have a firewall (5510) that I have in my DC that I TFTP to its setup the same as this and it works?
I use 3CDeamon

Here's the config lifted from working firewall

access-list inbound extended permit udp any object Internal_TFTP_Server eq tftp
access-group inbound in interface outside
!
object network Internal_TFTP_Server
 host 192.168.100.10
 nat (inside,outside) static interface service udp tftp tftp
!
policy-map global_policy
 class inspection_default
  inspect tftp
!


Pete
0
 

Accepted Solution

by:
davebird earned 0 total points
ID: 41903414
There is/was something on the rights of my machine that prevents the file from writing.  The machine is multi-homed which may be the issue.  I just tried the TFTP on another machine and all worked.  Thank you for the help.
0
 

Author Closing Comment

by:davebird
ID: 41909945
Please see explanation to public.  All is good.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA ISP failover 3 23
Splitting network into several individual networks. 6 47
Internet options/Settings 1 46
Connectivity issues after power outage 5 35
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question