Kings, sorry missed to mention that, its no nat-control... On Sat, Feb 26, 2011 at 12:54 PM, Kingsley Charles < [email protected]> wrote:
> Do you have a nat-control enabled? > > With regards > Kings > > > On Sat, Feb 26, 2011 at 2:27 PM, Pemasiri Devanarayana <[email protected] > > wrote: > >> Hi All, >> >> My tftp is server is 150.1.1.241 and router which trying to do tftp is >> 1.1.4.2 which is behind the ASA. I have already allowed udp any host 1.1.4.2 >> eq tftp >> >> access-list out extended permit udp any host 1.1.4.2 eq tftp >> >> yes, I have default route on 1.1.4.2 and when I ping from 1.1.4.2 to >> 150.1.1.241 it was success.. >> >> On Sat, Feb 26, 2011 at 8:09 AM, kamran shakil >> <[email protected]>wrote: >> >>> true! tftp is not added there in ACL. >>> >>> plus even if u r from inside or outside ,there is no inspect also, so >>> check the ACL permission only! >>> >>> >>> On Sat, Feb 26, 2011 at 7:28 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> You have not permitted 150.1.1.24? Do you have static rule for the tftp >>>> server, if no, add permit statement for 150.1.1.241. >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Sat, Feb 26, 2011 at 3:18 AM, Pemasiri Devanarayana < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> I'm having issue with doing tftp to device behind the firewall (ASA) >>>>> even though I have allow tftp from outside. Here is the message I see on >>>>> the >>>>> console. >>>>> >>>>> >>>>> >>>>> ciscoasa/C2(config)# >>>>> >>>>> ciscoasa/C2(config)# >>>>> >>>>> ciscoasa/C2(config)# %ASA-6-302016: Teardown UDP connection 113 for >>>>> Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes >>>>> 80 >>>>> >>>>> %ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0to >>>>> Inside: >>>>> 1.1.4.2/64253 duration 0:02:19 bytes 0 >>>>> >>>>> %ASA-7-609002: Teardown local-host Outside:150.1.1.241 duration 0:06:04 >>>>> >>>>> >>>>> >>>>> Here is the message I see on the device where I'm trying to tftp >>>>> >>>>> R2#copy flash: tftp: >>>>> >>>>> Source filename []? IOSCA.ser >>>>> >>>>> Address or name of remote host []? 150.1.1.241 >>>>> >>>>> Destination filename [IOSCA.ser]? >>>>> >>>>> ..... >>>>> >>>>> %Error opening tftp://xx.1.1.xx/IOSCA.ser<ftp://150.1.1.241/IOSCA.ser> >>>>> (Timed >>>>> out) >>>>> >>>>> R2# >>>>> >>>>> >>>>> >>>>> Here is my ACL on ASA applied to outside interface >>>>> >>>>> ciscoasa/C2# sh run acc >>>>> >>>>> ciscoasa/C2# sh run access-l >>>>> >>>>> ciscoasa/C2# sh run access-list out >>>>> >>>>> access-list out extended permit icmp any any >>>>> >>>>> access-list out extended permit esp host 1.1.6.3 host 1.1.4.2 >>>>> >>>>> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq isakmp >>>>> >>>>> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq ntp >>>>> >>>>> access-list out extended permit udp host 1.1.3.1 host 1.1.4.2 gt 33434 >>>>> >>>>> access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 gt 33434 >>>>> >>>>> access-list out extended permit udp host 1.1.6.4 host 1.1.4.2 eq isakmp >>>>> >>>>> access-list out extended permit esp host 1.1.6.4 host 1.1.4.2 >>>>> >>>>> access-list out extended permit udp any host 1.1.4.2 eq tftp >>>>> >>>>> >>>>> >>>>> it works without firewall.. (when bypassed the firewall)...?? >>>>> >>>>> >>>>> >>>>> Appreciate if someone can find the issue.. >>>>> >>>>> thanks >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
