TFTP via Site-to-Site Tunnel

bluecrescentmoon · ‎09-05-2008

I have an L2L ipsec tunnel between two of our production environments.

On one device, Fortigate, we have our main network where my workstation resides. On the other device, ASA 5505, is where I am trying to (via the CLI) tftp to my workstation (running a tftp server)

On my ASA 5505 via CLI, I tried to perform a tftp session with my workstation. Reviewing the live log in the ASDM, I noticed that it was not using the tunnel to get to my address.

What I do not understand is that if I ping my workstation from a workstation behind the network of the ASA, it is successful. When I ping via the CLI in the ASA, I have to specifically add that it uses the "internal" interface.

Furthermore, I setup a static route to the network where my workstation resides and used the ASA's "inside" interface as the gateway (this is what our workstations in the ASA network use). Yet, this still didn't work.

Can anyone give me pointers on how to assure I can tftp to my network behind the Fortigate?

Thanks in Advance...

acomiskey · ‎09-05-2008

The issue here is the ASA is using it's outside interface as the source address. This address most likely is not defined as interesting traffic for the vpn tunnel. Adding this address to the crypto acl should solve your issue. I assume you will also need to add the traffic to the Forgigate device.

access-list extended permit ip host host