Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Backing up an ASA

Status
Not open for further replies.

North323

Technical User
Jan 13, 2009
966
US
ok so I have an ASA 5505 and try to back it up and tftp the config. there is a vpn tunnel between the two locations. i can tftp when im on the subnet but not through the tunnel. so where does the back up originate from? the outside interface?
 
I would imagine so, its more than likely the same as when the device is acting as a dhcp-rely across a tunnel. The request is sourced from the outside.

try add a rule to your crypto access-list that specifies the outside interface IP address to the tftp server IP address using tftp and the mirror the access-list on the remote end.
 
It would originate from the interface in which you are connected to.
 
ok so then why can I not tftp back to my home office with this config?

this is all the tunnel traffic
access-list crypto10 extended permit ip object-group XYZLocal any

ASA Version 8.0(4)
!
hostname XYZ0101025505
domain-name ABCDOH.NET
enable password
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name X.Y.67.0 Cityville_VLAN67
name X.Y.2.0 Cityville_VLAN2
name X.Y.7.0 Cityville_VLAN7
name X.Y.6.0 Cityville_VLAN6
name X.Y.8.0 Cityville_VLAN8
name X.Y.5.0 Cityville_VLAN5
name X.Y.1.0 Cityville_VLAN1
name X.Y.4.0 Cityville_VLAN4
name X.Y.32.0 Subnet32
name X.Y.75.0 Cityville_Vlan75
!
interface Vlan64
nameif XYZNetwork
security-level 100
ip address X.Y.Z.251 255.255.255.0
!
interface Vlan1201
nameif Internet
security-level 0
ip address 1.1.1.1 255.0.0.0
!
interface Vlan1204
nameif XYZ
security-level 0
ip address X.Y.Z.251 255.255.255.0
!
interface Ethernet0/0
switchport trunk allowed vlan 1200-1204
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 64
!
interface Ethernet0/2
switchport access vlan 64
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec c UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You MUST have explicit permission to access and configure this device. Violations of this policy will result in disciplinary action, and may be reported to law enforcement. c
banner login c UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You MUST have explicit permission to access and configure this device. Violations of this policy will result in disciplinary action, and may be reported to law enforcement. c
banner motd c UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You MUST have explicit permission to access and configure this device. Violations of this policy will result in disciplinary action, and may be reported to law enforcement. c
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone UTC -4
dns server-group DefaultDNS
domain-name ABCDOH.NET
object-group network XYZLocal
description ABCD XYZ Office
network-object X.Y.64.0 255.255.255.0
object-group network XYZtownRemote
description Remote network list for the ABCD XYZtown office.
network-object X.Y.2.0 255.255.255.0
network-object X.Y.67.0 255.255.255.0
network-object X.Y.7.0 255.255.255.0
network-object X.Y.1.0 255.255.255.0
network-object X.Y.5.0 255.255.255.0
network-object X.Y.6.0 255.255.255.0
network-object X.Y.8.0 255.255.255.0
network-object X.Y.4.0 255.255.255.0
network-object X.Y.32.0 255.255.255.0
network-object X.Y.75.0 255.255.255.0
access-list crypto10 extended permit ip object-group XYZLocal any
access-list inside_outbound_nat0_acl extended permit ip object-group XYZLocal any
access-list ABCD extended permit icmp any any
access-list ABCD extended permit tcp host X.Y.99.3 any eq 50 log
access-list ABCD extended permit tcp host X.Y.99.3 any eq 51 log
access-list ABCD extended permit udp host X.Y.99.3 any eq isakmp log
access-list ABCD extended permit ip host X.Y.99.0 any log
access-list ABCD extended permit icmp X.Y.0.0 255.255.0.0 any
access-list ABCD extended deny ip 14.2.6.0 255.255.255.0 any log
access-list ABCD extended deny ip 127.0.0.0 255.255.255.0 any log
access-list ABCD extended deny ip 10.0.0.0 255.255.255.0 any log
access-list ABCD extended deny ip 0.0.0.0 255.0.0.0 any log
access-list ABCD extended deny ip 192.168.0.0 255.255.0.0 any log
access-list ABCD extended deny ip 192.0.2.0 255.255.255.0 any log
access-list ABCD extended deny ip 169.254.0.0 255.255.0.0 any log
access-list ABCD extended deny ip 224.0.0.0 224.0.0.0 any log
access-list ABCD extended deny ip host 255.255.255.255 any log
access-list ABCD extended deny icmp any any echo log
access-list ABCD extended deny icmp any any redirect log
access-list ABCD extended deny icmp any any mask-request log
access-list ABCD extended permit ip host X.Y.75.0 interface XYZNetwork log
pager lines 24
logging console debugging
logging monitor warnings
logging buffered debugging
logging asdm informational
mtu XYZNetwork 1500
mtu Internet 1500
mtu XYZ 1500
ip verify reverse-path interface XYZ
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any XYZNetwork
icmp permit any XYZ
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (XYZNetwork) 0 access-list inside_outbound_nat0_acl
access-group ABCD in interface XYZ
route XYZ 0.0.0.0 0.0.0.0 X.Y.99.251 1
timeout xlate 0:30:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
no snmp-server enable
crypto ipsec transform-set ABCDXYZ esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map XYZ 10 match address crypto10
crypto map XYZ 10 set peer X.Y.99.3
crypto map XYZ 10 set transform-set ABCDXYZ
crypto map XYZ 10 set security-association lifetime seconds 28800
crypto map XYZ 10 set security-association lifetime kilobytes 4608000
crypto map XYZ interface XYZ
crypto isakmp enable XYZ
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 120
telnet timeout 1
ssh X.Y.64.0 255.255.255.0 XYZNetwork
ssh X.Y.75.0 255.255.255.0 XYZNetwork
ssh timeout 5
ssh version 2
console timeout 5
management-access XYZNetwork

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username
tunnel-group X.Y.99.3 type ipsec-l2l
tunnel-group X.Y.99.3 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum
: end
 
I believe this relates to WHERE the TFTP traffic is being generated on the ASA and if the traffic is being recognised as interesting and thus sent down the tunnel.

The TFTP traffic never passes THROUGH an interface so is not identified as interesting, and thus sent down the tunnel. You'll have a similar problem with ping from the ASA (unless you specify an interface)...

-Blue
The significant problems we face cannot be solved at the same level of thinking we were at when we created them
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top