cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
0
Helpful
1
Replies

Cisco DNA Device Image update with remote sites (public IP)

stewie12
Level 1
Level 1

Hey brains trust,
Finally got my hands on a DNA vAppliance!

I've got 50+ ISR1100 router and wanting to push a image update to these devices.
Issue I have is DNA is within our internal network 10.1.x.x and the ISRs are managed via their public IP address.

When I run the image update task, the ISR tries to fetch it via DNAs internal IP 10.1.x.x and for those routers that don't have a VPN tunnel configured it will fail as it has no route to int, only external.

Is there a way to configure an alternate IP address for the local image distribution and i can allow inbound NAT from external?

I can see i can add additional Image Distribution Servers in DNAC, but even if I did put one with a public accessible address, I'd need to specify the public IP then NAT it back inbound to a server that is running SFTP\SCP and that is assuming I can select which image distro server is deployed to the ISR for download

Any ideas to overcome this?

I've tried to do ip nat outside source static x.x.x.x 10.1.x.x on the ISR
I can see that this traffic hits the ASA but doesn't return, if I test on the ISR with the direct public IP NATd to DNA works fine. Not sure what i'm missing here, getting lost in translation!

If i didn't have DNAC i'd just just a manual script, update the device config with the correct self zone ACLs, sftp user\pass and run a copy command via a public IP address that is NATd back to a corp sftp server. But having DNAC should eliminate such tasks and allow automaton.

Any help would be greatly appreciated

Cheers!

1 Reply 1

Preston Chilcote
Cisco Employee
Cisco Employee

If Catalyst Center is managing these devices correctly, then I would expect they have to be reachable for things like ping, snmp, and syslog.  If that connectivity exists, then I expect SWIM to work fine over as well (it will try to use HTTPS first, following by SCP if there is no HTTPS connectivity. 

So are these devices without a VPN tunnel showing up as "Managed" in Inventory?  Is there a reason they all can't have a VPN tunnel for management purposes?

Review Cisco Networking for a $25 gift card