Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
218020
Views
26
Helpful
5
Comments

ASA: How to download images using TFTP, FTP, HTTP, HTTPS and SCP

Dev Vishwakarma
Cisco Employee
Cisco Employee

‎04-19-2012 12:47 AM - edited ‎03-08-2019 06:45 PM

 

Introduction

This document talks about how to download images on ASA using different transfer mechanisms. For example, TFTP, FTP, HTTP, HTTPS and SCP.

 

Using TFTP

From a command line:

1. Enter the following command:

copy tftp://<SERVER>[/path]/filename {flash:/ | disk0:/ |disk1:/ } [path/] filename

 

Example:

Upgrading Cisco ASA Failover Pair - 3 - 5/7/2008

copy tftp://x.x.x.x/ asa803-19-k8.bin disk0:/ asa803-19-k8.bin

 

2. ASA will confirm the server and filename, review each and press enter:

Address or name of remote host [x.x.x.x]?

Source filename [asa803-19-k8.bin]?

Destination filename [asa803-19-k8.bin]?

 

3. If the ASA can communicate with TFTP server, you should see a bunch of !!!!!!! filling

your screen. Monitor this process, if you do not have enough space in the location you’re

moving the file to, you will receive an error during the write process.

 

Using FTP

From a command line:

1. Enter the following command:

copy ftp://[username[:password]@]<SERVER>[/path]/filename {flash:/ | disk0:/ | disk1:/ } [path/] filename

Example:

copy ftp://cisco:XXXXX@x.x.x.x/ asa803-19-k8.bin disk0:/ asa803-19-k8.bin

 

2. ASA will confirm the server and filename, review each and press enter:

Address or name of remote host [x.x.x.x]?

Source username [cisco]?

Source password [XXXXX]?

Source filename [asa803-19-k8.bin]?

Destination filename [asa803-19-k8.bin]?

 

3. If the ASA can communicate with FTP server, you should see a bunch of !!!!!!! filling

your screen. Monitor this process, if you do not have enough space in the location you’re

copying the file to, you will receive an error during the write process.

 

Using HTTP(S)

From a command line:

1. Enter the following command:

copy http[s]://[username[:password]@]<SERVER>[:port] [/path]/filename {flash:/ | disk0:/ | disk1:/ } [path/]filename

Example:

copy http://cisco:XXXXX@x.x.x.x:80/ asa803-19-k8.bin disk0:/ asa803-19-k8.bin

 

2. ASA will confirm the server and filename, review each and press enter:

Address or name of remote host [x.x.x.x]?

Source filename [asa803-19-k8.bin]?

Destination filename [asa803-19-k8.bin]?

 

3. If the ASA can communicate with HTTP server, you should see a bunch of !!!!!!! filling

your screen. Monitor this process, if you do not have enough space in the location you’re

copying the file to, you will receive an error during the write process.

 

Using SSH/SCP

The SCP method is the most secure. Before using the method, you need to make sure SCP is enabled on the firewall.

 

1. Enable SCP on the ASA

To use the SCP method, you must first enable it on the firewall:

hostname(config)# ssh scopy enable

 

2. Copying files to the ASA

From a Unix/Linux host with OpenSSH or Tectia SSH installed:

1. Enter the following command:

scp –v <filename> username@asa_address

Example: scp –v asa803-19-k8.bin cisco@x.x.x.x

Labels:
Comments
Dan Mullendore
Level 1
Level 1
‎03-24-2016 12:37 PM

To specify the source interface (if you are pulling the file from a remote site through a VPN tunnel and need the copy to source from the inside interface)

try this: 

 copy tftp://1.1.1.1/filename.bin;int=inside flash:

Here is where I got this:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/command/reference/cref_txt/c.html#wp1970383

smarteam
Level 1
Level 1
‎08-23-2018 10:07 AM

Thank you Dan! The inside trick for over the VPN is what I've been looking for!

jmaldonado@nygenome.org
Level 1
Level 1
‎01-08-2019 09:20 AM

Question:

 

If i wanted to copy a file FROM disk0: on the ASA to a MacOS laptop, what would the syntax of the command be?

 

would it be different for Windows or Ubuntu?

 

and would I need to have the ssh scopy enable command on as well?

 

rjethani
Cisco Employee
Cisco Employee
‎03-05-2019 02:04 AM

Can copy http://...  be used as a part of Day 0 config file?

 

I actually want to download and configure anyconnect package as a part of Day 0 config file. Is this even possible?

thedao
Level 1
Level 1
‎11-27-2024 08:08 PM

Dear @Dev Vishwakarma 

I tried to use SCP to upload the ASDM image file to ASA 5520 via local IP but it seem failed (tried with different directories still the same). Please show me how to fix it. I need ASDM installed on my ASA 5520. Thank you very much!!!
This is my command on Linux Server:

[root@softswitch ~]# scp -v asdm-751-90.bin admin@172.16.10.2:/disk0/
Executing: program /usr/bin/ssh host 172.16.10.2, user admin, command scp -v -t /disk0/
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 172.16.10.2 [172.16.10.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 1.99, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host '172.16.10.2' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:11
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
admin@172.16.10.2's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: scp -v -t /disk0/
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 1536, received 1272 bytes, in 0.0 seconds
Bytes per second: sent 788453.2, received 652937.8
debug1: Exit status 0
lost connection
[root@softswitch ~]#
[root@softswitch ~]#
[root@softswitch ~]# scp -v asdm-751-90.bin admin@172.16.10.2:/admin/
Executing: program /usr/bin/ssh host 172.16.10.2, user admin, command scp -v -t /admin/
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 172.16.10.2 [172.16.10.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 1.99, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host '172.16.10.2' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:11
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
admin@172.16.10.2's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: scp -v -t /admin/
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 1536, received 1272 bytes, in 0.0 seconds
Bytes per second: sent 784134.7, received 649361.6
debug1: Exit status 0
lost connection

[root@softswitch ~]# scp -v asdm-751-90.bin admin@172.16.10.2
Executing: cp asdm-751-90.bin admin@172.16.10.2
You have mail in /var/spool/mail/root
[root@softswitch ~]#


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents