Showing results for 
Search instead for 
Did you mean: 

Using SCP to backup your configs safely.


I have installed SSH to use as an encrypted method of logging onto my routers. It works. I also enabled the SCP server on the cli, router config#ip scp server enable. (be careful here because scp has a slight vulnerability where a user with a restricted view can still use it. This has been fixed in the latest, 20050325 releases).

The thing is that the secure copy protocol is dificult to use. There is no information on either Cisco or other web sites on how to use it to back up configs.

I tried WinSCP, and PuTTY pscp. Neither one seem to work as servers, in other words, you can't initiate SCP transfers from the router to the Windows box with these clients. All I manage to get is errors about sftp or ... when trying to initiate from the windows box.

It may be that you need to use Cisco Works LMS to perform the copy. The SCP server service on the router is embeded and may not completely follow standards for the protocol, or ???

Any ideas?


Yudong Wu
Rising star
Rising star

How about you setup a SCP server on PC, and then use "copy" command to transfer file from router to it.

Yes, there might be certain compatibility issue between router SCP server and those third party SCP clients.

Frequent Contributor
Frequent Contributor

very easy as a,b,c:

a- ip domain-name

b- crypto key zerosize rsa

c- crypto key generate rsa -- choose 1024

d- username cciesec privilege 15 pass cisco

e- aaa new-model

f- aaa authentication login default local

g- aaa authorization exec default local

h- line vty 0 4

i- login authentication default

[Expert@NEO-labgw]# scp cciesec@ .


running-config 100% 4131 47.4KB/s 00:00

Connection to closed by remote host.


Easy for you.. A couple of questions. Why not use a 2048 key? Got the part about setting up the Cisco device,

a)create a domain name so that the crypto key generate will work,

b)zeroize the old rsa keys on the Cisco box.

c - i) set up the AAA for SSH and SCP.

The next part, what is going on with the following statement:

[Expert@NEO-labgw]# scp cciesec@ .


Are you entering the SCP service from the Cisco device and sending the running-config to the PC running some kind of SCP server?


Frequent Contributor
Frequent Contributor

Yes, PC is running CentOS Linux version 5.2.

Host "NEO-labgw" is a CentOS Linux box which has scp/sftp built-in by default

Thanks. I was hoping for a Windows solution. It is good to know that you can PULL a running config from a linux box. It looks like the Cisco SCP service on the Cisco box can look like an SCP client to CentOS Linux. thx

Frequent Contributor
Frequent Contributor

My solution also works on Windows solution as well, if you use pscp.exe. One thing to keep in mind is that if you use "pscp.exe" for scp, you need to use the "-pscp" option, like this:

C:\temp>pscp.exe -scp cciesec@ .

Using keyboard-interactive authentication.


running-config | 4 kB | 4.0 kB/s | ETA: 00:00:00 | 100%


Again, easy right?

Still no go.

C:\PuTTY>pscp -scp -v Bruce@

Where is the cisco device.

I get the usage info when trying to do it.

C:\PuTTY>pscp -scp -v Bruce@

PuTTY Secure Copy client

Release 0.60

Usage: pscp [options] [user@]host:source target

pscp [options] source [source...] [user@]host:target

pscp [options] -ls [user@]host:filespec


-V print version information and exit

-pgpfp print PGP key fingerprints and exit

-p preserve file attributes

-q quiet, don't show statistics

-r copy directories recursively

-v show verbose messages

-load sessname Load settings from saved session

-P port connect to specified port

-l user connect with specified username

-pw passw login with specified password

-1 -2 force use of particular SSH protocol version

-4 -6 force use of IPv4 or IPv6

-C enable compression

-i key private key file for authentication

-noagent disable use of Pageant

-agent enable use of Pageant

-batch disable all interactive prompts

-unsafe allow server-side wildcards (DANGEROUS)

-sftp force use of SFTP protocol

-scp force use of SCP protocol

I had debug enabled on the device but nothing showed up. My guess is that the command never ran on the Windows box.

This is a helpful page on the use of putty:

I am getting closer though. I got the following error from putty:

C:\PuTTY>pscp -scp Bruce@ c:\putty

Bruce@'s password:

Privilege denied.

This also was verified with some debug on the network device. I am set to AAA with 15 privilege. I guess something else is needed for the SCP part..

I know this post is 5 years old, but found it as I ran into the same issue.
For me pscp works now with an ASR1006

C:\PuTTY>pscp -scp -v Bruce@ .

You forgot the "dot" at the end of your command (cisco24x7 has it in his post). It is essential, as this is for target. 
This helped ab bit regarding pscp.
But as you pointed out

C:\PuTTY>pscp -scp Bruce@ c:\putty

did work neither, I asume there was an additional issue with scp server konfig on your router.

Did you solve this in the end?

I know this is an old post, but this method doesn't seem to currently work. ASA version 9.2(4). It looks like the ASA is looking for "running-config" from the flash: or disk0:.  In order to get the running-config you need to call out the "system:" directory first.  This command works for me from a bash command prompt:

scp user@ .


scp user@ newfilename.cfg

I verified that this works under recent versions of ASA



config t

  ssh scopy enable

  username foo password secret privilege 15

  username foo attributes

    ssh authentication publickey {paste public key here}




Then the following works:

scp foo@test-asa:system://running-config running-config

scp foo@test-asa:startup-config startup-config



yes. and now he can use ubuntu inside windows 10

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: