Save run to VPN connected tftp?

Unanswered Question

Running ASA v8.x. I'm trying to save the run to a TFTP server that's connected via a VPN tunnel. I have "management-interface inside" set up so I can get remote access via ASDM, but I'm not sure how to get TFTP to work. I defined the tftp client in configuration>Device management>management access>file access>tftp client to be the IP of my vpn connected tftp server and set it to "Inside", but it just times out. I don't see any denials in the logs.

I'm probably missing something basic, but I assume others have tried to save their running config to a central TFP server, not?

Thanks in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Thu, 10/16/2008 - 11:02
User Badges:
  • Green, 3000 points or more

Hi Steve,

you almost there, this is what I understand in your post, you have a tftp server running on the vpn client machine, and when you vpn into your network you want to copy the asa configuration into that tftp server, please let me know if this is not correct but if the above is so you need to do few things in this scenario.

on the asa you have to define a tftp server and path. assume you have created a folder called root in tftp server , and assume VPN pool network is



tftp-server inside :\root

thats it

once you vpn in and successfully connect you need to stop and restart tftp server on that machine so that tftp can also bind the ip assign by the ASA RA pool, so tftp udp port 69 will be listening on two IP addresses the local NIC of the PC and the VPN RA virtual IP.

once you have that then try copying running config to tftp

note the following:

when it ask you in the field bellow, you need to specify the RA client Virtual IP of where tftp is running off.

Address or name of remote host []?

asa#copy running-config tftp

Source filename [running-config]?

Address or name of remote host []?

Destination filename []? asa_config _test9

Cryptochecksum: 913690bd 97637c7a aa5060dc 049c1919


if your scenario is a vpn tunnel same principle applies other than permitting udp for tftp in your nonat acl on that l2l tunnel.



JClarke007 Wed, 03/04/2009 - 14:51
User Badges:

Hi, I'm trying to accomplish this as well. Were you able to find a resolution?

It appears the write net tftp command is not triggering the crypto map, even though the crypto ACL parameters include the destination TFTP server.

One thing I've considered is that my crypto policies are applied to the outside interface. Perhaps I need one on the inside interface as well...


This Discussion