One more thing, have you check if the tftp service in running on the machine ? have you disable the windows firewall on the local machine?
Regards, Wharley ________________________________ From: Pemasiri Devanarayana <[email protected]> To: Kingsley Charles <[email protected]> Cc: [email protected] Sent: Sat, February 26, 2011 11:24:37 AM Subject: Re: [OSL | CCIE_Security] tftp doesnt work through ASA... Kings, sorry missed to mention that, its no nat-control... On Sat, Feb 26, 2011 at 12:54 PM, Kingsley Charles <[email protected]> wrote: Do you have a nat-control enabled? > >With regards >Kings > > > >On Sat, Feb 26, 2011 at 2:27 PM, Pemasiri Devanarayana <[email protected]> >wrote: > >Hi All, >> >> >>My tftp is server is 150.1.1.241 and router which trying to do tftp is >>1.1.4.2 >>which is behind the ASA. I have already allowed udp any host 1.1.4.2 eq tftp >> >> >>access-list out extended permit udp any host 1.1.4.2 eq tftp >> >> >>yes, I have default route on 1.1.4.2 and when I ping from 1.1.4.2 to >>150.1.1.241 >>it was success.. >> >> >> >>On Sat, Feb 26, 2011 at 8:09 AM, kamran shakil <[email protected]> >wrote: >> >>true! tftp is not added there in ACL. >>> >>>plus even if u r from inside or outside ,there is no inspect also, so check >>>the >>>ACL permission only! >>> >>> >>> >>>On Sat, Feb 26, 2011 at 7:28 AM, Kingsley Charles >>><[email protected]> >>>wrote: >>> >>>You have not permitted 150.1.1.24? Do you have static rule for the tftp >>>server, >>>if no, add permit statement for 150.1.1.241. >>>> >>>> >>>>With regards >>>>Kings >>>> >>>> >>>>On Sat, Feb 26, 2011 at 3:18 AM, Pemasiri Devanarayana <[email protected]> >>>>wrote: >>>> >>>>Hi, >>>>> >>>>>I'm having issue with doing tftp to device behind the firewall (ASA) even >>>>>though >>>>>I have allow tftp from outside. Here is the message I see on the console. >>>>> >>>>>ciscoasa/C2(config)# >>>>>ciscoasa/C2(config)# >>>>>ciscoasa/C2(config)# %ASA-6-302016: Teardown UDP connection 113 for >>>>>Outside:150.1.1.241/69 to Inside:1.1.4.2/64253 duration 0:02:18 bytes 80 >>>>>%ASA-6-302016: Teardown UDP connection 114 for Outside:150.1.1.241/0 to >>>>>Inside:1.1.4.2/64253 duration 0:02:19 bytes 0 >>>>>%ASA-7-609002: Teardown local-host Outside:150.1.1.241 duration 0:06:04 >>>>> >>>>>Here is the message I see on the device where I'm trying to tftp >>>>>R2#copy flash: tftp: >>>>>Source filename []? IOSCA.ser >>>>>Address or name of remote host []? 150.1.1.241 >>>>>Destination filename [IOSCA.ser]? >>>>>..... >>>>>%Error opening tftp://xx.1.1.xx/IOSCA.ser (Timed out) >>>>>R2# >>>>> >>>>>Here is my ACL on ASA applied to outside interface >>>>>ciscoasa/C2# sh run acc >>>>>ciscoasa/C2# sh run access-l >>>>>ciscoasa/C2# sh run access-list out >>>>>access-list out extended permit icmp any any >>>>>access-list out extended permit esp host 1.1.6.3 host 1.1.4.2 >>>>>access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq isakmp >>>>>access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 eq ntp >>>>>access-list out extended permit udp host 1.1.3.1 host 1.1.4.2 gt 33434 >>>>>access-list out extended permit udp host 1.1.6.3 host 1.1.4.2 gt 33434 >>>>>access-list out extended permit udp host 1.1.6.4 host 1.1.4.2 eq isakmp >>>>>access-list out extended permit esp host 1.1.6.4 host 1.1.4.2 >>>>>access-list out extended permit udp any host 1.1.4.2 eq tftp >>>>> >>>>>it works without firewall.. (when bypassed the firewall)...?? >>>>> >>>>> >>>>> >>>>> >>>>>Appreciate if someone can find the issue.. >>>>>thanks >>>>> >>>>>_______________________________________________ >>>>>For more information regarding industry leading CCIE Lab training, please >>>>>visit >>>>>www.ipexpert.com >>>>> >>>>> >>>> >>>>_______________________________________________ >>>>For more information regarding industry leading CCIE Lab training, please >>>>visit >>>>www.ipexpert.com >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
