true! tftp is not added there in ACL. plus even if u r from inside or outside ,there is no inspect also, so check the ACL permission only!
On Sat, Feb 26, 2011 at 7:28 AM, Kingsley Charles < [email protected]> wrote: > You have not permitted 150.1.1.24? Do you have static rule for the tftp > server, if no, add permit statement for 150.1.1.241. > > > With regards > Kings > > On Sat, Feb 26, 2011 at 3:18 AM, Pemasiri Devanarayana <[email protected] > > wrote: > >> Hi, >> >> >> >> I'm having issue with doing tftp to device behind the firewall (ASA) even >> though I have allow tftp from outside. Here is the message I see on the >> console. >> >> >> >> ciscoasa/C2(config)# >> >> ciscoasa/C2(config)# >> >> ciscoasa/C2(config)# %ASA-6-302016: Teardown UDP connection 113 for >> Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes 80 >> >> %ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0 to >> Inside:1.1.4.2/64253 duration 0:02:19 bytes 0 >> >> %ASA-7-609002: Teardown local-host Outside:150.1.1.241 duration 0:06:04 >> >> >> >> Here is the message I see on the device where I'm trying to tftp >> >> R2#copy flash: tftp: >> >> Source filename []? IOSCA.ser >> >> Address or name of remote host []? 150.1.1.241 >> >> Destination filename [IOSCA.ser]? >> >> ..... >> >> %Error opening tftp://xx.1.1.xx/IOSCA.ser <ftp://150.1.1.241/IOSCA.ser> >> (Timed >> out) >> >> R2# >> >> >> >> Here is my ACL on ASA applied to outside interface >> >> ciscoasa/C2# sh run acc >> >> ciscoasa/C2# sh run access-l >> >> ciscoasa/C2# sh run access-list out >> >> access-list out extended permit icmp any any >> >> access-list out extended permit esp host 1.1.6.3 host 1.1.4.2 >> >> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq isakmp >> >> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq ntp >> >> access-list out extended permit udp host 1.1.3.1 host 1.1.4.2 gt 33434 >> >> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 gt 33434 >> >> access-list out extended permit udp host 1.1.6.4 host 1.1.4.2 eq isakmp >> >> access-list out extended permit esp host 1.1.6.4 host 1.1.4.2 >> >> access-list out extended permit udp any host 1.1.4.2 eq tftp >> >> >> >> it works without firewall.. (when bypassed the firewall)...?? >> >> >> >> Appreciate if someone can find the issue.. >> >> thanks >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
