Re: [OSL | CCIE_Security] tftp doesnt work through ASA...

Fri, 25 Feb 2011 20:59:23 -0800 

You have not permitted 150.1.1.24? Do you have static rule for the tftp
server, if no, add permit statement for 150.1.1.241.


With regards
Kings

On Sat, Feb 26, 2011 at 3:18 AM, Pemasiri Devanarayana
<[email protected]>wrote:

> Hi,
>
>
>
> I'm having issue with doing tftp to device behind the firewall (ASA) even
> though I have allow tftp from outside. Here is the message I see on the
> console.
>
>
>
> ciscoasa/C2(config)#
>
> ciscoasa/C2(config)#
>
> ciscoasa/C2(config)# %ASA-6-302016: Teardown UDP connection 113 for
> Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes 80
>
> %ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0 to
> Inside:1.1.4.2/64253 duration 0:02:19 bytes 0
>
> %ASA-7-609002: Teardown local-host Outside:150.1.1.241 duration 0:06:04
>
>
>
> Here is the message I see on the device where I'm trying to tftp
>
> R2#copy flash: tftp:
>
> Source filename []? IOSCA.ser
>
> Address or name of remote host []? 150.1.1.241
>
> Destination filename [IOSCA.ser]?
>
> .....
>
> %Error opening tftp://xx.1.1.xx/IOSCA.ser <ftp://150.1.1.241/IOSCA.ser> (Timed
> out)
>
> R2#
>
>
>
> Here is my ACL on ASA applied to outside interface
>
> ciscoasa/C2# sh run acc
>
> ciscoasa/C2# sh run access-l
>
> ciscoasa/C2# sh run access-list out
>
> access-list out extended permit icmp any any
>
> access-list out extended permit esp host 1.1.6.3 host 1.1.4.2
>
> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq isakmp
>
> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq ntp
>
> access-list out extended permit udp host 1.1.3.1 host 1.1.4.2 gt 33434
>
> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 gt 33434
>
> access-list out extended permit udp host 1.1.6.4 host 1.1.4.2 eq isakmp
>
> access-list out extended permit esp host 1.1.6.4 host 1.1.4.2
>
> access-list out extended permit udp any host 1.1.4.2 eq tftp
>
>
>
> it works without firewall.. (when bypassed the firewall)...??
>
>
>
> Appreciate if someone can find the issue..
>
> thanks
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to