Save run to VPN connected tftp?

steve.frank · ‎10-16-2008

Running ASA v8.x. I'm trying to save the run to a TFTP server that's connected via a VPN tunnel. I have "management-interface inside" set up so I can get remote access via ASDM, but I'm not sure how to get TFTP to work. I defined the tftp client in configuration>Device management>management access>file access>tftp client to be the IP of my vpn connected tftp server and set it to "Inside", but it just times out. I don't see any denials in the logs.

I'm probably missing something basic, but I assume others have tried to save their running config to a central TFP server, not?

Thanks in advance.

Steve

JORGE RODRIGUEZ · ‎10-16-2008

Hi Steve,

you almost there, this is what I understand in your post, you have a tftp server running on the vpn client machine, and when you vpn into your network you want to copy the asa configuration into that tftp server, please let me know if this is not correct but if the above is so you need to do few things in this scenario.

on the asa you have to define a tftp server and path. assume you have created a folder called root in tftp server , and assume VPN pool network is 10.20.20.0/24

i.e

asa(config)#

tftp-server inside :\root

thats it

once you vpn in and successfully connect you need to stop and restart tftp server on that machine so that tftp can also bind the ip assign by the ASA RA pool, so tftp udp port 69 will be listening on two IP addresses the local NIC of the PC and the VPN RA virtual IP.

once you have that then try copying running config to tftp

note the following:

when it ask you in the field bellow, you need to specify the RA client Virtual IP of 10.20.20.20 where tftp is running off.

Address or name of remote host [10.20.20.0]? 10.20.20.20

asa#copy running-config tftp

Source filename [running-config]?

Address or name of remote host [10.20.20.0]? 10.20.20.20

Destination filename []? asa_config _test9

Cryptochecksum: 913690bd 97637c7a aa5060dc 049c1919

!!!!!

if your scenario is a vpn tunnel same principle applies other than permitting udp for tftp in your nonat acl on that l2l tunnel.

Rgds

Jorge

Jorge Rodriguez

steve.frank · ‎10-16-2008

Jorge,

I'm so sorry, I left out one very important fact. This is on a site-to-site VPN, not a VPN connected client. My TFP server is running on a machine across a VPN tunnel away from the ASA.

Thanks so far!

Steve

JClarke007 · ‎03-04-2009

Hi, I'm trying to accomplish this as well. Were you able to find a resolution?

It appears the write net tftp command is not triggering the crypto map, even though the crypto ACL parameters include the destination TFTP server.

One thing I've considered is that my crypto policies are applied to the outside interface. Perhaps I need one on the inside interface as well...

steve.frank · ‎03-04-2009

Nope, sorry. I basically am working around it by putting tftp up temporarily on the inside interface on a box I have available there. :-(