Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TFTP via Site-to-Site Tunnel

I have an L2L ipsec tunnel between two of our production environments.

On one device, Fortigate, we have our main network where my workstation resides. On the other device, ASA 5505, is where I am trying to (via the CLI) tftp to my workstation (running a tftp server)

On my ASA 5505 via CLI, I tried to perform a tftp session with my workstation. Reviewing the live log in the ASDM, I noticed that it was not using the tunnel to get to my address.

What I do not understand is that if I ping my workstation from a workstation behind the network of the ASA, it is successful. When I ping via the CLI in the ASA, I have to specifically add that it uses the "internal" interface.

Furthermore, I setup a static route to the network where my workstation resides and used the ASA's "inside" interface as the gateway (this is what our workstations in the ASA network use). Yet, this still didn't work.

Can anyone give me pointers on how to assure I can tftp to my network behind the Fortigate?

Thanks in Advance...


Re: TFTP via Site-to-Site Tunnel

The issue here is the ASA is using it's outside interface as the source address. This address most likely is not defined as interesting traffic for the vpn tunnel. Adding this address to the crypto acl should solve your issue. I assume you will also need to add the traffic to the Forgigate device.

access-list extended permit ip host host

CreatePlease login to create content