ASA 8.2 : Problem with publishing (PAT) internal TFTP server to outside

Unanswered Question
Apr 20th, 2010

Hello,

I have several ASA and same problem on all.

I want to use my tftp server outside my org, so i create a pat rule as usual, access-list and inspect on tftp is on. But i can't download any file, when i access it from the outside, i can see the request on the tftp server many times , but it doesn't start and goes on error communication. It works for other services (http / ftp)

I use this commands :

static (inside,outside) udp OutsideIPAddress 69 insideIpaddress 69 netmask 255.255.255.255

access-list 101 permit udp any any eq 69

access-group 101 in interface outside

policy-map global_policy

class inspection_default

inspect tftp

Thanks for your answers.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 04/20/2010 - 12:54

Here's what Cisco says about TFTP inspection on ASA:

#########################################################################################

TFTP Inspection

TFTP inspection is enabled by default.

TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client.

The adaptive security appliance inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server. Specifically, the inspection engine inspects TFTP read request (RRQ), write request (WRQ), and error notification (ERROR).

A dynamic secondary channel and a PAT translation, if necessary, are allocated on a reception of a valid read (RRQ) or write (WRQ) request. This secondary channel is subsequently used by TFTP for file transfer or error notification.

Only the TFTP server can initiate traffic over the secondary channel, and at most one incomplete secondary channel can exist between the TFTP client and server. An error notification from the server closes the secondary channel.

TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic.

#########################################################################################

I think that the problem is with the inspection of TFTP since the secondary channels are not being redirected to the internal TFTP server.

In order to check if I'm correct, you can try the following:

static (inside,outside) Different_IP_Address insideIpaddress

access-list 101 permit udp any any eq 69

access-group 101 in interface outside

policy-map global_policy

class inspection_default

inspect tftp

In this way, the TFTP traffic will be allowed inbound and the subsequent channels for TFTP transactions should be inspected by the ''inspection tftp''.

By doing STATIC PAT, you're only redirecting UDP 69 (TFTP) to the internal server and not the subsequent negotiations (that occur on different ports).

If you don't have another address to use, try using the same PAT address with the STATIC above just for testing purposes to see if it works.

Federico.

nboulet Tue, 04/20/2010 - 15:10

I tried to make a NAT one to one with a different public address. It doesn't work. Same problem, the secondary channel is block.

I suspect the inspect tftp is not working. For ftp, if i only open the port 21, the inspect command for ftp protocol open dynamicaly the other ports.

Federico Coto F... Tue, 04/20/2010 - 15:20

I think you're right and the problem is with the TFTP inspection.

To be 100% sure, can you modify the ACL to permit ip to the TFTP server (just for testing purposes).

If it works, definitely we know the tftp inspection is not doing what it should.

Federico.

nboulet Tue, 04/20/2010 - 15:26

i tried opening all the ports etc; definitely it's not working with tftp inspect.

and there's no debug for this

Federico Coto F... Tue, 04/20/2010 - 15:32

If you have an internal TFTP server behind the ASA, and you have a 1-to-1 STATIC NAT and an ACL permitting all ports and still does not work, the

TFTP inspection has nothing to do with this....

The tftp inspection is to be able to allow the secondary channels dynamically to pass through the ASA without having to open them in the ACL.

If you open IP in the ACL and still does not work, the problem goes beyond the TFTP inspection.

Can you enable logs and check the logs for the tftp transaction?

Federico.

nboulet Tue, 04/20/2010 - 15:39

Here the logs :

debug fixup udp

tftp: (insideIP/69 <- outsideIP/47902)
         reading "tftpd32.ini" mode "netascii"
tftp: prepare conn (insideIP/0 ->outsideIP/47902)
tftp: opened 0xa128fe6
tftp: (hc-lte2-lms01/69 <- outsideIP/47902)
         reading "tftpd32.ini" mode "netascii"
tftp: prepare conn (insideIP/0 ->outsideIP/47902)
tftp: opened 0xa12d982
tftp: (insideIP/69 <-outsideIP/47902)
         reading "tftpd32.ini" mode "netascii"
tftp: prepare conn (hc-lte2-lms01/0 -> outsideIP/47902)
tftp: opened 0xa13a576
tftp-data: (insideIP/69 <- outsideIP/47902)
        timeout on receive
tftp-data: closing 0xa127dfa

Federico Coto F... Tue, 04/20/2010 - 15:46

Seems like a timeout during the TFTP transaction.

Could you try check the connection itself:

sh conn detail address x.x.x.x  -->  x.x.x.x is the IP of the TFTP server

Federico.

nboulet Tue, 04/20/2010 - 20:23

here the result, we can see the initial connection to port udp 69, and the other ports  :

UDP Outside:wanipaddress/53102 Inside:nsidetftpserveraddress/69,
    flags -, idle 1s, uptime 8s, timeout 2m0s, bytes 92

UDP Outside: wanipaddress/53102 Inside:insidetftpserveraddress/29671

    flags -, idle 0s, uptime 1s, timeout 2m0s, bytes 8
UDP Outside:wanipaddress/53102 Inside:insidetftpserveraddress/29672,
    flags -, idle 2s, uptime 5s, timeout 2m0s, bytes 12
UDP Outside:wanipaddress/53102 Inside:insidetftpserveraddress/29673,
    flags -, idle 1s, uptime 7s, timeout 2m0s, bytes 16
UDP Outside:wanipaddress/53102 Inside:insidetftpserveraddress/29674,
    flags -, idle 2s, uptime 8s, timeout 2m0s, bytes 16
UDP Outside:wanipaddress/52763 Inside:insidetftpserveraddress/29675,
    flags -, idle 28s, uptime 28s, timeout 2m0s, bytes 27
UDP Outside:wanipaddress/52763 Inside:insidetftpserveraddress/29676,
    flags -, idle 1m3s, uptime 1m15s, timeout 2m0s, bytes 24


but the connection time out and close

Federico Coto F... Tue, 04/20/2010 - 20:37

It seems that to really see what's happening we better capture the entire communication between source and destination for the TFTP transaction.


This is done with the capture command:

access-list cap_in permit ip host TFTP_SERVER host OUTSIDE_HOST
access-list cap_in permit ip host OUTSIDE_HOST host TFTP_SERVER
capture cap_in access-list cap_in in interface inside

You then can see the capture on the CLI or with Wireshark:
https://ASA's_IP/capture/cap_in/pcap


access-list cap_out permit ip host NAT_TFTP_SERVER host OUTSIDE_HOST
access-list cap_out permit ip host OUTSIDE_HOST host NAT_TFTP_SERVER
capture cap_in access-list cap_out in interface outside

You then can see the capture on the CLI or with Wireshark:
https://ASA's_IP/capture/cap_out/pcapThe idea is to capture the entire communication between the outside host and the TFTP server to see where is it failing and why.

Federico.

a-nurseitov Tue, 09/13/2011 - 03:06

I am having exactly the same problem with publishing TFTP server on ASA5510, 8.4(2).

NAT rule created to publish several services from inside server to outside. TCP services can be accessed from outside, but not TFTP. The logs below received when I try to establish TFTP connection to public IP, after that TFTP times-out. Why ASA can not handle TFTP translation? Does anybody know how to fix it?

Thank you

Ali

6|Sep 13 2011|09:03:24|302016|84.253.19.240|22911|10.61.3.50|69|Teardown UDP connection 5593 for outside:74.253.19.240/22911 to inside:10.61.3.50/69 duration 0:00:47 bytes 274

6|Sep 13 2011|09:03:16|302015|0.0.0.0|22911|10.61.3.50|33753|Built inbound UDP connection 5605 for outside:0.0.0.0/22911 (10.61.3.51/22911) to inside:10.61.3.50/33753 (188.232.3.6/33753)

6|Sep 13 2011|09:03:08|302015|0.0.0.0|22911|10.61.3.50|33752|Built inbound UDP connection 5604 for outside:0.0.0.0/22911 (10.61.3.51/22911) to inside:10.61.3.50/33752 (188.232.3.6/33752)

6|Sep 13 2011|09:03:00|302015|0.0.0.0|22911|10.61.3.50|33751|Built inbound UDP connection 5601 for outside:0.0.0.0/22911 (10.61.3.51/22911) to inside:10.61.3.50/33751 (188.232.3.6/33751)

6|Sep 13 2011|09:02:52|302015|0.0.0.0|22911|10.61.3.50|33750|Built inbound UDP connection 5600 for outside:0.0.0.0/22911 (10.61.3.51/22911) to inside:10.61.3.50/33750 (188.232.3.6/33750)

6|Sep 13 2011|09:02:44|302015|0.0.0.0|22911|10.61.3.50|33749|Built inbound UDP connection 5599 for outside:0.0.0.0/22911 (10.61.3.51/22911) to inside:10.61.3.50/33749 (188.232.3.6/33749)

6|Sep 13 2011|09:02:40|302015|0.0.0.0|22911|10.61.3.50|33748|Built inbound UDP connection 5598 for outside:0.0.0.0/22911 (10.61.3.51/22911) to inside:10.61.3.50/33748 (188.232.3.6/33748)

6|Sep 13 2011|09:02:38|302015|0.0.0.0|22911|10.61.3.50|33747|Built inbound UDP connection 5597 for outside:0.0.0.0/22911 (10.31.3.51/22911) to inside:10.61.3.50/33747 (188.232.3.6/33747)

6|Sep 13 2011|09:02:37|302015|84.253.19.240|22911|10.61.3.50|69|Built inbound UDP connection 5593 for outside:74.253.19.240/22911 (10.61.3.51/22911) to inside:10.61.3.50/69 (188.232.3.6/69)

object network Host_10.61.3.50

host 10.61.3.50

object network Host_188.232.3.6

host 188.232.3.6

object service HTTP

service tcp destination eq www

object service TFTP

service udp destination eq tftp

object service SIP

service tcp destination eq sip

object-group service DM_INLINE_SERVICE_1

service-object object HTTP

service-object object SIP

service-object object TFTP

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object Host_10.61.3.50

nat (outside,inside) source static any interface destination static Host_188.232.3.6 Host_10.61.3.50 service HTTP HTTP

nat (outside,inside) source static any interface destination static Host_188.232.3.6 Host_10.61.3.50 service any TFTP

nat (outside,inside) source static any interface destination static Host_188.232.3.6 Host_10.61.3.50 service SIP SIP

access-group outside_access_in in interface outside

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

Actions

This Discussion