Solved

Cisco asa 5505 ACL for tftp server

Posted on 2016-11-22
4
48 Views
Last Modified: 2016-12-02
I'm trying to setup a tftp acl on my asa5505. IOS 8.4.7
Internally it works fine.  Externally, not. If I try to do a copy running-config tftp, for instance, from an external ASA, the local tftp server software sees and creates an empty file on the tftp directory so it's getting through.  Then deletes it, tries and repeats 5 more times before showing timeout error. I don't run tftp except when I'm updating something so it's on the outside interface and not a DMZ.  

Code is below.

object network Open-TFTP
 host 192.168.8.99
access-list OutToInTFTP extended permit udp any host 192.168.8.99 eq tftp
object network Open-TFTP
 nat (inside,outside) static interface service udp tftp tftp
access-group OutToInTFTP in interface outside
policy-map global_policy
 class inspection_default
 inspect tftp

Please advise what silly basic item I am overlooking?
0
Comment
Question by:davebird
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41899200
The rule looks fine, but it is in isolation, so there may be something else causing the issue.

I would not run tftp over the internet, its a plain text protocol. I run rancid http://www.shrubbery.net/rancid/ to automatically collect configs, put them into source control and show me diffs between configs.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41899328
Agreed, I have a firewall (5510) that I have in my DC that I TFTP to its setup the same as this and it works?
I use 3CDeamon

Here's the config lifted from working firewall

access-list inbound extended permit udp any object Internal_TFTP_Server eq tftp
access-group inbound in interface outside
!
object network Internal_TFTP_Server
 host 192.168.100.10
 nat (inside,outside) static interface service udp tftp tftp
!
policy-map global_policy
 class inspection_default
  inspect tftp
!


Pete
0
 

Accepted Solution

by:
davebird earned 0 total points
ID: 41903414
There is/was something on the rights of my machine that prevents the file from writing.  The machine is multi-homed which may be the issue.  I just tried the TFTP on another machine and all worked.  Thank you for the help.
0
 

Author Closing Comment

by:davebird
ID: 41909945
Please see explanation to public.  All is good.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question