Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco asa 5505 ACL for tftp server

Posted on 2016-11-22
4
Medium Priority
?
80 Views
Last Modified: 2016-12-02
I'm trying to setup a tftp acl on my asa5505. IOS 8.4.7
Internally it works fine.  Externally, not. If I try to do a copy running-config tftp, for instance, from an external ASA, the local tftp server software sees and creates an empty file on the tftp directory so it's getting through.  Then deletes it, tries and repeats 5 more times before showing timeout error. I don't run tftp except when I'm updating something so it's on the outside interface and not a DMZ.  

Code is below.

object network Open-TFTP
 host 192.168.8.99
access-list OutToInTFTP extended permit udp any host 192.168.8.99 eq tftp
object network Open-TFTP
 nat (inside,outside) static interface service udp tftp tftp
access-group OutToInTFTP in interface outside
policy-map global_policy
 class inspection_default
 inspect tftp

Please advise what silly basic item I am overlooking?
0
Comment
Question by:David Bird
  • 2
4 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41899200
The rule looks fine, but it is in isolation, so there may be something else causing the issue.

I would not run tftp over the internet, its a plain text protocol. I run rancid http://www.shrubbery.net/rancid/ to automatically collect configs, put them into source control and show me diffs between configs.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41899328
Agreed, I have a firewall (5510) that I have in my DC that I TFTP to its setup the same as this and it works?
I use 3CDeamon

Here's the config lifted from working firewall

access-list inbound extended permit udp any object Internal_TFTP_Server eq tftp
access-group inbound in interface outside
!
object network Internal_TFTP_Server
 host 192.168.100.10
 nat (inside,outside) static interface service udp tftp tftp
!
policy-map global_policy
 class inspection_default
  inspect tftp
!


Pete
0
 

Accepted Solution

by:
David Bird earned 0 total points
ID: 41903414
There is/was something on the rights of my machine that prevents the file from writing.  The machine is multi-homed which may be the issue.  I just tried the TFTP on another machine and all worked.  Thank you for the help.
0
 

Author Closing Comment

by:David Bird
ID: 41909945
Please see explanation to public.  All is good.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question