07-05-2013 01:50 PM - edited 03-11-2019 07:07 PM
we have a pair of ASA that are on the Zone1(x.x.33.100), and we have TFTP server(x.x.223.108) on the Inside Zone. Zones are seperated by a Checkpoint FW. When I generate a tftp traffic to copy running config to the tftp server from the ASAs, the Checkpoint show a redam port number like 33442 somthing, instead a UDP 69.
Can any of you tell me why it is not 69? The configuration on the ASAs regarding for the traffic are default.
thanks,
Han
Solved! Go to Solution.
07-05-2013 02:26 PM
TFTP uses a dynamic DATA-port, similar to FTP. Thats what this additional port should be in the Checkpoint-Log. If that traffic is denied, you have to enable TFTP-Inspection on the CheckPoint.
Sent from Cisco Technical Support iPad App
07-05-2013 01:52 PM
Just add a pic of the traffic on the checkpoint,
07-05-2013 02:26 PM
TFTP uses a dynamic DATA-port, similar to FTP. Thats what this additional port should be in the Checkpoint-Log. If that traffic is denied, you have to enable TFTP-Inspection on the CheckPoint.
Sent from Cisco Technical Support iPad App
07-08-2013 06:11 AM
Karsten,
Our Checkpoint guy told me that the Inspection is enabled and this traffic is a "new initiation", meaning it is started to reach port 33442, instead of 69.
any idea?
thanks,
Han
07-08-2013 06:30 AM
more ideas ...
1) is there a connection on UDP/69 directly before this UDP/33442 traffic is seen on the Checkpoint?
2) Look at your ASA log to see which traffic relates to your tftp-process to corelate that with the ChackPoint-Log.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
07-08-2013 07:51 AM
Karsten,
No UDP/69 seen. The ASA logs look strange to me. I dont find any traffic in the log to destination of the TFTP server and there are a lot message as following,
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to NAT reverse path failure.
thanks,
Han
07-17-2013 10:09 AM
The reason is that someone had a typo on the ACL and we corrected. As to why this typo can make that kind of symtom, i have got myself understood yet.
but thanks,
Han
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide