Do you have a nat-control enabled? With regards Kings
On Sat, Feb 26, 2011 at 2:27 PM, Pemasiri Devanarayana <[email protected]>wrote: > Hi All, > > My tftp is server is 150.1.1.241 and router which trying to do tftp is > 1.1.4.2 which is behind the ASA. I have already allowed udp any host 1.1.4.2 > eq tftp > > access-list out extended permit udp any host 1.1.4.2 eq tftp > > yes, I have default route on 1.1.4.2 and when I ping from 1.1.4.2 to > 150.1.1.241 it was success.. > > On Sat, Feb 26, 2011 at 8:09 AM, kamran shakil > <[email protected]>wrote: > >> true! tftp is not added there in ACL. >> >> plus even if u r from inside or outside ,there is no inspect also, so >> check the ACL permission only! >> >> >> On Sat, Feb 26, 2011 at 7:28 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> You have not permitted 150.1.1.24? Do you have static rule for the tftp >>> server, if no, add permit statement for 150.1.1.241. >>> >>> >>> With regards >>> Kings >>> >>> On Sat, Feb 26, 2011 at 3:18 AM, Pemasiri Devanarayana < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> >>>> >>>> I'm having issue with doing tftp to device behind the firewall (ASA) >>>> even though I have allow tftp from outside. Here is the message I see on >>>> the >>>> console. >>>> >>>> >>>> >>>> ciscoasa/C2(config)# >>>> >>>> ciscoasa/C2(config)# >>>> >>>> ciscoasa/C2(config)# %ASA-6-302016: Teardown UDP connection 113 for >>>> Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes >>>> 80 >>>> >>>> %ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0 to >>>> Inside:1.1.4.2/64253 duration 0:02:19 bytes 0 >>>> >>>> %ASA-7-609002: Teardown local-host Outside:150.1.1.241 duration 0:06:04 >>>> >>>> >>>> >>>> Here is the message I see on the device where I'm trying to tftp >>>> >>>> R2#copy flash: tftp: >>>> >>>> Source filename []? IOSCA.ser >>>> >>>> Address or name of remote host []? 150.1.1.241 >>>> >>>> Destination filename [IOSCA.ser]? >>>> >>>> ..... >>>> >>>> %Error opening tftp://xx.1.1.xx/IOSCA.ser <ftp://150.1.1.241/IOSCA.ser> >>>> (Timed >>>> out) >>>> >>>> R2# >>>> >>>> >>>> >>>> Here is my ACL on ASA applied to outside interface >>>> >>>> ciscoasa/C2# sh run acc >>>> >>>> ciscoasa/C2# sh run access-l >>>> >>>> ciscoasa/C2# sh run access-list out >>>> >>>> access-list out extended permit icmp any any >>>> >>>> access-list out extended permit esp host 1.1.6.3 host 1.1.4.2 >>>> >>>> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq isakmp >>>> >>>> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq ntp >>>> >>>> access-list out extended permit udp host 1.1.3.1 host 1.1.4.2 gt 33434 >>>> >>>> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 gt 33434 >>>> >>>> access-list out extended permit udp host 1.1.6.4 host 1.1.4.2 eq isakmp >>>> >>>> access-list out extended permit esp host 1.1.6.4 host 1.1.4.2 >>>> >>>> access-list out extended permit udp any host 1.1.4.2 eq tftp >>>> >>>> >>>> >>>> it works without firewall.. (when bypassed the firewall)...?? >>>> >>>> >>>> >>>> Appreciate if someone can find the issue.. >>>> >>>> thanks >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
