Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Can't get TFTP to work through PIX Firewall

Trying to setup a conduit to a statically configured inside,outside address. using

conduit permit udp host (Eternal Address) eq tftp any

I can attach to the internal address and download a file via tftp from the inside ( using a laptop configured with an internal address) but when I try and download the file from the outside (same laptop connected to our external network with an external address) I always receive a timeout. I can hit the www port with the web browser but not the tftp with a tftp client. If this is possible how can I do it. I am trying to setup automatic client updates for my VPN 3002 clients and it is not working.


Bruce Jones

Cisco Employee

Re: Can't get TFTP to work through PIX Firewall

Certainly should be possible, but it's hard to tell with the info you've given. Is the static a one-to-one static or a port static? Is the WWW port that is working associated with the same static and therefore the same internal server?

What does the PIX syslog show when you try and start a TFTP connection, that'll give you the most information about what's going on?

Community Member

Re: Can't get TFTP to work through PIX Firewall

Problem solved but new info below.

The configured static is a single external to single internal ip address translation with a conduit permit over the top allowing tftp into the port(external address in the command for Conduit permit). www site is on same internal server as tftp.

example external address is internal address is my actual IPs using bogus ones)

command in pix

static (inside,outside) netmask 0 0

conduit permit tcp host eq www any

conduit permit udp host eq tftp any

No other translations to either of these addresses.

Okay now new info.

I was able to connect to the tftp while direct connecting to the outside network with a laptop but not from behind the VPN 3002 translation(Split tunneling enabled). Probably something to do with translation of ports below 1024. The 3002 was what I wanted to tftp the to for update. It would start the connection to the external tftp server address and act like it was going to download but never actually started the transfer. Know this from server log.


I then decided to change the tftp address in the autoupdate on the main concentrator to point to the internal address ot the tftp server which was reachable after the tunnel was established. The VPN 3002 was able to pull the file from the tftp server and update itself. Thanks for your help.


CreatePlease to create content