Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
0
Helpful
11
Replies

Cannot tftp image from IOS rommon prompt via ASA device

jgohil
Cisco Employee
Cisco Employee

‎09-18-2014 02:00 PM - edited ‎03-11-2019 09:46 PM

Need help configuring ASA to allow tftp download: cannot download tftp timesout Device 1 --> (Port 9 )Device 2 --> port 1(Device 2 ) --> switch --> tftp server Device 1 is sitting at rommon prompt. I would like to download an image to device 1. Device 1 configuration at rommon prompt is shown below: ap: set DEFAULT_ROUTER=192.168.10.1 IOS_STATIC_DEFAULT_GATEWAY=192.168.10.1 IOS_STATIC_IP_ADDR=192.168.10.2 IOS_STATIC_NETMASK=255.255.255.0 IP_ADDR=192.168.10.1 NETMASK=255.255.255.0 SERVERIP=171.70.42.151 Device 1 is connected to an ASA unit on port 9. ASA configuration is shown below. ciscoasa(config-if)# show run : Saved : : Serial Number: JAD18330047 : Hardware: ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 100.12(10)44 ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface GigabitEthernet1/1 nameif g1 security-level 0 ip address 172.24.22.49 255.255.0.0 ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/9 nameif g9 security-level 0 ip address 192.168.10.1 255.255.255.0 ! interface Management1/1 management-only shutdown no nameif no security-level no ip address ! ftp mode passive pager lines 24 mtu g1 1500 mtu g9 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 no ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:8a78f7d952a22f621855c62baecd3b2d : end Device 2 port 1 is connected to switch 172.24.22.49 ( and can access 171.70.42.151 tftp server ) Device 2 port 9 is connected to Device 1 192.168.10.2 I need to tftp image from device 1 rommon prompt using the following command: ( ap: copy tftp://171.70.42.151/auto/tftp-users/filename flash:filename)

Labels:
Preview file
4 KB
Preview file
95 KB
0 Helpful
11 Replies 11

Marius Gunnerud
VIP
VIP

‎09-19-2014 12:11 AM

you are missing the command same-security-traffic permit inter-interface

add that and see if you are now able to tftp through the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jgohil
Cisco Employee
Cisco Employee
In response to Marius Gunnerud

‎09-19-2014 06:01 AM

hi Marius,

I added the same-security-traffic permit inter-interface command. still cannot tftp.  Attached pic of my setup with the config 

Preview file
233 KB
0 Helpful

Marius Gunnerud
VIP
VIP
In response to jgohil

‎09-19-2014 01:53 PM

Are you able to ping the tftp server from the wlan?
--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jgohil
Cisco Employee
Cisco Employee
In response to Marius Gunnerud

‎09-19-2014 02:19 PM

WLAN is at rommon prompt;  there is no ping command available from the rommon prompt.

arp shows the following from WLAN rommon prompt:

ap: arp
     255.255.255.255  ff:ff:ff:ff:ff:ff  0  6
        192.168.10.1  88:f0:31:0d:5c:86  132  11

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to jgohil

‎09-19-2014 11:12 PM

Please run the following packet tracer on the ASA and post the output here: packet-tracer input udp g9 172.24.22.97 12345 171.70.42.151 67 detailed
--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jgohil
Cisco Employee
Cisco Employee
In response to Marius Gunnerud

‎09-20-2014 06:14 AM

Note: changed server ip to be on the same network 172.24.22.97 ( attached pic )

 

ciscoasa# packet-tracer input g9 udp 192.168.10.2 12345 172.24.22.97 67 detail$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffe5c86e70, priority=1, domain=permit, deny=false
        hits=21, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=g9, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.24.22.97 using egress ifc  g1

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffe5c979b0, priority=2, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=g9, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffe54a7800, priority=0, domain=nat-per-session, deny=true
        hits=8184, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffe5c8f710, priority=0, domain=inspect-ip-options, deny=true
        hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=g9, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffe54a7800, priority=0, domain=nat-per-session, deny=true
        hits=8186, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffe5c2ee50, priority=0, domain=inspect-ip-options, deny=true
        hits=6, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=g1, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: g9
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Preview file
239 KB
0 Helpful

jgohil
Cisco Employee
Cisco Employee
In response to jgohil

‎09-20-2014 10:44 AM

 

packet-tracer command using g1 port instead of g9:

 

ciscoasa# packet-tracer input g1 tcp 192.168.10.2 12345 172.24.22.97 67 ?

  detailed  Dump more detailed information
  xml       Output in xml format
  <cr>
ciscoasa# packet-tracer input g1 tcp 192.168.10.2 12345 172.24.22.97 67 detail$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffe5c27280, priority=1, domain=permit, deny=false
        hits=23, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=g1, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.24.22.97 using egress ifc  g1

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffe5c2a210, priority=111, domain=permit, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=g1, output_ifc=g1

Result:
input-interface: g1
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

jgohil
Cisco Employee
Cisco Employee
In response to jgohil

‎09-20-2014 11:43 AM

i added "same-security-traffic permit intra-interface" 

but still cannot tftp from 

copy tftp://172.24.22.97/filename flash:a

 

 

ciscoasa(config)# packet-tracer input g1 udp 192.168.10.2 12345 172.24.22.97 6$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.24.22.97 using egress ifc  g1

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffe5caed50, priority=3, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=g1, output_ifc=g1

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffe54a7800, priority=0, domain=nat-per-session, deny=true
        hits=12047, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffe5c2ee50, priority=0, domain=inspect-ip-options, deny=true
        hits=6, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=g1, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffe54a7800, priority=0, domain=nat-per-session, deny=true
        hits=12049, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fffe5c2ee50, priority=0, domain=inspect-ip-options, deny=true
        hits=8, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=g1, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: g1
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

 

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to jgohil

‎09-20-2014 12:10 PM

same-security-traffic permit intra-interface is for traffic entering and leaving the same interface (ie. entering one sub interface and leaving through another sub interface) so this will not be of any use in this situation.

Your packet tracer for g1 interface is incorrect. when doing the packet tracer on g1 you need to have the source IP of the tftp server not the WLAN.

packet-tracer input udp g1 172.24.22.97 12345  192.168.10.2 67 detailed

But as per the first packet tracer the traffic flow is permitted through the firewall.  Have you made sure the TFTP server is setup correctly? You could try to put an ACL on both g1 and g9 that permits IP between WLAN and the TFTP server and see if that helps...though I do not expect it to help.

Could you set up a packet capture between the g1 and g9 interface for the WLAN and TFTP server and then try to do a TFTP transfer.  Check the output to see if there is any drop and / or that you see both the request and reply for each packet.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jgohil
Cisco Employee
Cisco Employee
In response to Marius Gunnerud

‎09-20-2014 05:06 PM

don't see any activity ( or not enough )

 

ciscoasa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list 101; 1 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit ip any any (hitcnt=0) 0x28676dfa
ciscoasa(config)# show cap
capture 101 type raw-data interface g9 [Capturing - 2225 bytes]
capture 102 type raw-data interface g1 [Capturing - 0 bytes]
  match ip host 192.168.10.2 host 172.24.22.97
  match ip 192.0.0.0 255.0.0.0 172.0.0.0 255.0.0.0
capture 103 type raw-data ethernet-type ip trace interface g9 [Capturing - 623 bytes]
 

ciscoasa(config)# show cap 101

7 packets captured

   1: 17:03:10.137978       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   2: 17:03:13.889953       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   3: 17:03:29.229465       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   4: 17:03:44.568986       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   5: 17:03:59.908446       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   6: 17:04:15.247957       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   7: 17:04:30.587478       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
7 packets shown
ciscoasa(config)# show cap 102

0 packet captured

0 packet shown
ciscoasa(config)# show cap 103

7 packets captured

   1: 17:03:10.137978       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   2: 17:03:13.889953       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   3: 17:03:29.229465       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   4: 17:03:44.568986       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   5: 17:03:59.908446       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   6: 17:04:15.247957       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
   7: 17:04:30.587478       192.168.10.1.1031 > 172.24.22.97.69:  udp 40
7 packets shown
ciscoasa(config)#

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to jgohil

‎09-21-2014 09:03 AM

Could you post the commands you used to create the packet capture please.

As per the output, we don't see any return traffic from the TFTP server so it would seem that there is an issue between the ASA and the TFTP server.  Is the TFTP server a windows server? if so have you turned off the windows firewall? is there any other software firewall installed on the TFTP server that you may have forgotten to turn off during your transfer?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card