I have a router that is on the outside of the ASA. I want to be able to do upgrades to the router from a system on the inside of the ASA. I set things up so that I could ping the router…that worked I turned the ping off for security reasons. I loaded TFTPd64 bit on the inside server ip address (this is made up ) 10.12.122.3. The router and the outside interface of the ASA are directly connected. Ip address of router is 214.206.70.33 and the ip address of the ASA is 214.206.70.34. I login to the router and do a “copy flash tftp” and I look at the ASA realtime log viewer and I see NOTHING…I was expecting to see traffic trying to get through the ASA. All I get from the router is an error that it can’t reach the tftp device. Apparently this is not as straight forward as it seems it should be, any assistance would be greatly appreciated.
Hi Stephen,
If your router is on the outside and your TFTP server on the inside then you should add an access-list with a matching entry. By default, the ASA will block all traffic from a low security level to a higher security level. Here’s an example:
access-list OUTBOUND_INBOUND extended permit udp host <inside ip> host <outside ip> eq tftp
access-group OUTBOUND_INBOUND in interface OUTSIDE
So in your case:
access-list OUTBOUND_INBOUND extended permit udp host 10.12.122.3 host 214.206.70.33 eq tftp
That should be it.
Rene
You are correct but had to NAT 10.12.122.3 to an external IP such as 214.206.70.30. Once I had the ACL entry and the NAT in place it worked perfectly.
Good to hear you got it working!