Solved

Cisco asa 5505 ACL for tftp server

Posted on 2016-11-22
4
30 Views
Last Modified: 2016-12-02
I'm trying to setup a tftp acl on my asa5505. IOS 8.4.7
Internally it works fine.  Externally, not. If I try to do a copy running-config tftp, for instance, from an external ASA, the local tftp server software sees and creates an empty file on the tftp directory so it's getting through.  Then deletes it, tries and repeats 5 more times before showing timeout error. I don't run tftp except when I'm updating something so it's on the outside interface and not a DMZ.  

Code is below.

object network Open-TFTP
 host 192.168.8.99
access-list OutToInTFTP extended permit udp any host 192.168.8.99 eq tftp
object network Open-TFTP
 nat (inside,outside) static interface service udp tftp tftp
access-group OutToInTFTP in interface outside
policy-map global_policy
 class inspection_default
 inspect tftp

Please advise what silly basic item I am overlooking?
0
Comment
Question by:davebird
  • 2
4 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 41899200
The rule looks fine, but it is in isolation, so there may be something else causing the issue.

I would not run tftp over the internet, its a plain text protocol. I run rancid http://www.shrubbery.net/rancid/ to automatically collect configs, put them into source control and show me diffs between configs.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41899328
Agreed, I have a firewall (5510) that I have in my DC that I TFTP to its setup the same as this and it works?
I use 3CDeamon

Here's the config lifted from working firewall

access-list inbound extended permit udp any object Internal_TFTP_Server eq tftp
access-group inbound in interface outside
!
object network Internal_TFTP_Server
 host 192.168.100.10
 nat (inside,outside) static interface service udp tftp tftp
!
policy-map global_policy
 class inspection_default
  inspect tftp
!


Pete
0
 

Accepted Solution

by:
davebird earned 0 total points
ID: 41903414
There is/was something on the rights of my machine that prevents the file from writing.  The machine is multi-homed which may be the issue.  I just tried the TFTP on another machine and all worked.  Thank you for the help.
0
 

Author Closing Comment

by:davebird
ID: 41909945
Please see explanation to public.  All is good.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now