Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
1
Replies

Cisco DNA Device Image update with remote sites (public IP)

stewie12
Level 1
Level 1

‎02-14-2024 04:03 AM

Hey brains trust,
Finally got my hands on a DNA vAppliance!

I've got 50+ ISR1100 router and wanting to push a image update to these devices.
Issue I have is DNA is within our internal network 10.1.x.x and the ISRs are managed via their public IP address.

When I run the image update task, the ISR tries to fetch it via DNAs internal IP 10.1.x.x and for those routers that don't have a VPN tunnel configured it will fail as it has no route to int, only external.

Is there a way to configure an alternate IP address for the local image distribution and i can allow inbound NAT from external?

I can see i can add additional Image Distribution Servers in DNAC, but even if I did put one with a public accessible address, I'd need to specify the public IP then NAT it back inbound to a server that is running SFTP\SCP and that is assuming I can select which image distro server is deployed to the ISR for download

Any ideas to overcome this?

I've tried to do ip nat outside source static x.x.x.x 10.1.x.x on the ISR
I can see that this traffic hits the ASA but doesn't return, if I test on the ISR with the direct public IP NATd to DNA works fine. Not sure what i'm missing here, getting lost in translation!

If i didn't have DNAC i'd just just a manual script, update the device config with the correct self zone ACLs, sftp user\pass and run a copy command via a public IP address that is NATd back to a corp sftp server. But having DNAC should eliminate such tasks and allow automaton.

Any help would be greatly appreciated

Cheers!

Labels:
0 Helpful
1 Reply 1

Preston Chilcote
Cisco Employee
Cisco Employee

‎02-15-2024 08:21 AM

If Catalyst Center is managing these devices correctly, then I would expect they have to be reachable for things like ping, snmp, and syslog.  If that connectivity exists, then I expect SWIM to work fine over as well (it will try to use HTTPS first, following by SCP if there is no HTTPS connectivity. 

So are these devices without a VPN tunnel showing up as "Managed" in Inventory?  Is there a reason they all can't have a VPN tunnel for management purposes?

0 Helpful
Customers Also Viewed These Support Documents