access-list out extended permit udp any host 1.1.4.2 eq tftp This above line means, that any one can access 1.1.4.2 on port 69/tftp...
however your log entry shows that 1.1.4.2 is itself trying to initiate a traffic to Outside:150.1.1.241/69 on port 69/tftp. %ASA-6-302016: Teardown UDP connection 113 for Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes 80 %ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0 to Inside:1.1.4.2/64253 duration 0:02:19 bytes 0 Can provide out put of show run | I access-group Regards, FNK On Fri, Feb 25, 2011 at 4:48 PM, Pemasiri Devanarayana <[email protected]> wrote: > Hi, > > > > I'm having issue with doing tftp to device behind the firewall (ASA) even > though I have allow tftp from outside. Here is the message I see on the > console. > > > > ciscoasa/C2(config)# > > ciscoasa/C2(config)# > > ciscoasa/C2(config)# %ASA-6-302016: Teardown UDP connection 113 for > Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes 80 > > %ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0 to > Inside:1.1.4.2/64253 duration 0:02:19 bytes 0 > > %ASA-7-609002: Teardown local-host Outside:150.1.1.241 duration 0:06:04 > > > > Here is the message I see on the device where I'm trying to tftp > > R2#copy flash: tftp: > > Source filename []? IOSCA.ser > > Address or name of remote host []? 150.1.1.241 > > Destination filename [IOSCA.ser]? > > ..... > > %Error opening tftp://xx.1.1.xx/IOSCA.serĀ (Timed out) > > R2# > > > > Here is my ACL on ASA applied to outside interface > > ciscoasa/C2# sh run acc > > ciscoasa/C2# sh run access-l > > ciscoasa/C2# sh run access-list out > > access-list out extended permit icmp any any > > access-list out extended permit esp host 1.1.6.3 host 1.1.4.2 > > access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq isakmp > > access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq ntp > > access-list out extended permit udp host 1.1.3.1 host 1.1.4.2 gt 33434 > > access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 gt 33434 > > access-list out extended permit udp host 1.1.6.4 host 1.1.4.2 eq isakmp > > access-list out extended permit esp host 1.1.6.4 host 1.1.4.2 > > access-list out extended permit udp any host 1.1.4.2 eq tftp > > > > it works without firewall.. (when bypassed the firewall)...?? > > Appreciate if someone can find the issue.. > > thanks > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
