Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


Upgrade ASA over VPN via inside interface


I am trying to upgrade a Cisco ASA over an IPSEC VPN tunnel. My FTP server is on the remote side of the VPN tunnel but I am initiating connections from the inside interface of the firewall. I am currently managing the Firewall over the VPN via it's inside interface (using the management-access inside) command. When I try and update via FTP, the connection is going straight out the outside interface (and not across the VPN tunnel)

I have tried upgrading via TFTP but it keeps stopping randomly with (unspecified error) I normally upgrade via FTP though but it's not working in this instance.

Essentially what I am asking, is is there an equivalent command for FTP that there is for TFTP: tftp-server interface ip anyconnect

I need the connections to originate from the inside interface so they traverse the VPN. I am running 7.2.3

Thanks in advance.


Upgrade ASA over VPN via inside interface


I havent tested this myself other than in L2L VPN situations but would there be a possibility to add the actual VPN endpoint pubpic IP address in the VPN Client configurations and with that enable yourself to transfer files through the VPN Client connection?

Other options I would think would be

  • Simply using a host on the LAN for the update process. Both loading the image to the LAN computer and from there to the actual ASA
  • Host the file somewhere on the public network though I guess you would do this if you had a chance to host a publicly reachable server at your location? Could there be a chance to use a temporary portforward configuration at your local site to enable transfers?

I might be able to lab this at some point.

- Jouni


Upgrade ASA over VPN via inside interface

Hi Jouni

Thanks a lot for all the suggestions, I do have the option of putting it on a public FTP server but I was looking at ways to do it over the VPN.

I will do some testing.

Thank you



From the remote firewall, to

From the remote firewall, to specify the source interface, try this: 

 copy tftp://;int=inside flash:

Here is where I got this:

Everyone's tags (1)

Re: From the remote firewall, to

I know this is an old post, but this command does work. I was pulling my hair out trying to ftp new images to my ASAs over site-to-site VPNs; this did the trick! Thank you Dan Mullendore!
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here