Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2972
Views
10
Helpful
4
Replies

Upgrade ASA over VPN via inside interface

velo84
Level 1
Level 1

‎01-18-2013 08:16 AM - edited ‎03-11-2019 05:48 PM

Hello

I am trying to upgrade a Cisco ASA over an IPSEC VPN tunnel. My FTP server is on the remote side of the VPN tunnel but I am initiating connections from the inside interface of the firewall. I am currently managing the Firewall over the VPN via it's inside interface (using the management-access inside) command. When I try and update via FTP, the connection is going straight out the outside interface (and not across the VPN tunnel)

I have tried upgrading via TFTP but it keeps stopping randomly with (unspecified error) I normally upgrade via FTP though but it's not working in this instance.

Essentially what I am asking, is is there an equivalent command for FTP that there is for TFTP: tftp-server interface ip anyconnect

I need the connections to originate from the inside interface so they traverse the VPN. I am running 7.2.3

Thanks in advance.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎01-18-2013 08:47 AM

Hi,

I havent tested this myself other than in L2L VPN situations but would there be a possibility to add the actual VPN endpoint pubpic IP address in the VPN Client configurations and with that enable yourself to transfer files through the VPN Client connection?

Other options I would think would be

  • Simply using a host on the LAN for the update process. Both loading the image to the LAN computer and from there to the actual ASA
  • Host the file somewhere on the public network though I guess you would do this if you had a chance to host a publicly reachable server at your location? Could there be a chance to use a temporary portforward configuration at your local site to enable transfers?

I might be able to lab this at some point.

- Jouni

0 Helpful

velo84
Level 1
Level 1
In response to Jouni Forss

‎01-18-2013 08:55 AM

Hi Jouni

Thanks a lot for all the suggestions, I do have the option of putting it on a public FTP server but I was looking at ways to do it over the VPN.

I will do some testing.

Thank you

Mark

0 Helpful

Dan Mullendore
Level 1
Level 1

‎03-24-2016 12:30 PM

From the remote firewall, to specify the source interface, try this: 

 copy tftp://1.1.1.1/filename.bin;int=inside flash:

Here is where I got this:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/command/reference/cref_txt/c.html#wp1970383

Joshua Schroth
Level 1
Level 1
In response to Dan Mullendore

‎02-06-2018 05:38 AM

I know this is an old post, but this command does work. I was pulling my hair out trying to ftp new images to my ASAs over site-to-site VPNs; this did the trick! Thank you Dan Mullendore!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card