I have a router that is on the outside of the ASA. I want to be able to do upgrades to the router from a system on the inside of the ASA. I set things up so that I could ping the router…that worked I turned the ping off for security reasons. I loaded TFTPd64 bit on the inside server ip address (this is made up ) The router and the outside interface of the ASA are directly connected. Ip address of router is and the ip address of the ASA is I login to the router and do a “copy flash tftp” and I look at the ASA realtime log viewer and I see NOTHING…I was expecting to see traffic trying to get through the ASA. All I get from the router is an error that it can’t reach the tftp device. Apparently this is not as straight forward as it seems it should be, any assistance would be greatly appreciated.

Hi Stephen,

If your router is on the outside and your TFTP server on the inside then you should add an access-list with a matching entry. By default, the ASA will block all traffic from a low security level to a higher security level. Here’s an example:

access-list OUTBOUND_INBOUND extended permit udp host <inside ip> host <outside ip> eq tftp

access-group OUTBOUND_INBOUND in interface OUTSIDE

So in your case:

access-list OUTBOUND_INBOUND extended permit udp host host eq tftp

That should be it.


You are correct but had to NAT to an external IP such as Once I had the ACL entry and the NAT in place it worked perfectly.

Good to hear you got it working!