Defining tftp interface for L2L VPN connections on ASA5505's

Unanswered Question
May 25th, 2007

Is there a way to define a tftp source interface in the same way that a router/switch allows? The problem I am having is that I need to save configuration files from the remote ASA5505 to our main office, as well as upload new code to the 5505, and debugs show that the tftp source address of the ASA5505 comes from the outside (public) interface of the ASA, destine for an internal private address at the main office, via the vpn tunnel. Two problems with this:

1) I do not want to tunnel the outside interface ip address of the ASA5505 through a tunnel. and

2) DSL/Cable ISP's hand out dhcp addy's so I could not easily make a an interesting vpn traffic acl if the outside interface ip frequently changes.

One other similar problem I found is that I cannot ping from the remote ASA5505 to devices in our main office. Pings do work fine though for devices behind the ASA5505 to devices behind our main office ASA5540.

Similarly, I have problems with NTP and tacacs+. I believe all four problems are related to the same issue because they each attempt to use the outside ip address for the default source address.

Some assistance with an explanation (and not just a url link) would be helpful.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
irisrios Fri, 06/01/2007 - 05:37

1. You need to set the interesting traffic (ACL) according to dynamic assignments of IP address to your branch office but it is static for your main office.

2. Check the ICMP traffic is allowed in the main office side or not.

Make use of this document PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example


This Discussion