Upgrading PIX 501 across L2L VPN

Unanswered Question
Jul 27th, 2007

I have a PIX 501 running 6.3(5) and just need to upgrade PDM. The PIX is at a remote site and the TFTP server is across the tunnel at our corporate site. I'm not sure what to put in the tftp-server command since the TFTP server is actually out the outside interface but across the tunnel. I'm not sure what the PIX will use to source the TFTP packets. If it is the outside interface address then the PIX won't properly protect it in the tunnel. If it is the inside interface address then it should but how can that be specified. How do I copy files via TFTP across a VPN tunnel established on the outside interface?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Sat, 07/28/2007 - 04:09

Hi, I am not sure, but I think it will work if you add the outside IP to the acl associated with the crypto map. It will need it's own SA from the outside IP to the remote network.

I do not think you can make it use the inside address.

I hope this helps.

TYLER WEST Tue, 08/14/2007 - 07:46

I finally got a chance to try this. It didn't work. Even if I turn on debugging for TFTP packets destined to the host I have defined, nothing turns up in the logs. It logs that I have executed the command but it does not show that any UDP connections were built nor does it show that packets were generated. I will repost info from the config into a reply to the original thread momentarily.



Raymond Aragon Sat, 07/28/2007 - 09:50

The PIX will use the same address as for other management methods (Telnet/Web/SSH).

Just modify the current ACL with a new Entry(ACE) that specifies to tunnel tftp traffic (UDP port69) between the PIX and the TFTP server(at corporate). That ACL gets assigned to a CRYPTO MAP (should already exist) and then Crypto MAP is the assigned to an interface (should already exist).

Reference: http://www.cisco.com/warp/public/110/38.html




This Discussion