There are many obvious reason to use FTP to upload an image, but the one I'm  going to cover is transferring an IOS image across the internet using HTTP. This  tutorial will work for FTP as well.

Referring to the image above, we want to upgrade the IOS on RTR-A. We will be  accessing the IOS image that is on the web server with the address of  b.b.b.2. The command we use is

copy  http://b.b.b.2/c3825-advsecurityk9-mz.124-25a.bin flash:

Now is where the fun starts! The first thing you may need to do is disable  passive FTP on RTR-A. The default is to use passive FTP.

no ip ftp passive

Next run the copy command from above.

RTR-A#copy  http://b.b.b.2/c3825-advsecurityk9-mz.124-25a.bin flash:
Destination filename [c3825-advsecurityk9-mz.124-25a.bin]?
%Error opening http://b.b.b.2/c3825-advsecurityk9-mz.124-25a.bin (I/O  error)

Well that's no good. What's going on? Checking the ACL applied to the public  interface, we some denied traffic.

057557: Jul 1 12:43:37 CST: %SEC-6-IPACCESSLOGP: list 102  denied tcp b.b.b.2(80) -> a.a.a.2(20651), 1 packet

Ahh, we need to create an ACE to allow the traffic. But take a look at the  destination address. In this case it's a.a.a.2 which is the PAT address for  internal clients, not the interface IP of a.a.a.1 Add the ACE to the ACL.

permit tcp host b.b.b.2 host a.a.a.2 eq 80

Try the copy again.

RTR-A#copy  http://b.b.b.2/c3825-advsecurityk9-mz.124-25a.bin flash:
Destination filename [c3825-advsecurityk9-mz.124-25a.bin]?
Loading http://b.b.b.2/c3825-advsecurityk9-mz.124-25a.bin!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
23372352 bytes copied in 344.504 secs (67843 bytes/sec)

Now it's working! Don't forget to verify the image. Directions for that can  be found at https://supportforums.cisco.com/docs/DOC-6033