Using SCP to backup your configs safely.

Unanswered Question

I have installed SSH to use as an encrypted method of logging onto my routers. It works. I also enabled the SCP server on the cli, router config#ip scp server enable. (be careful here because scp has a slight vulnerability where a user with a restricted view can still use it. This has been fixed in the latest, 20050325 releases).

The thing is that the secure copy protocol is dificult to use. There is no information on either Cisco or other web sites on how to use it to back up configs.

I tried WinSCP, and PuTTY pscp. Neither one seem to work as servers, in other words, you can't initiate SCP transfers from the router to the Windows box with these clients. All I manage to get is errors about sftp or ... when trying to initiate from the windows box.

It may be that you need to use Cisco Works LMS to perform the copy. The SCP server service on the router is embeded and may not completely follow standards for the protocol, or ???

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Yudong Wu Fri, 03/27/2009 - 22:14

How about you setup a SCP server on PC, and then use "copy" command to transfer file from router to it.

Yes, there might be certain compatibility issue between router SCP server and those third party SCP clients.

cisco24x7 Sat, 03/28/2009 - 08:26

very easy as a,b,c:

a- ip domain-name

b- crypto key zerosize rsa

c- crypto key generate rsa -- choose 1024

d- username cciesec privilege 15 pass cisco

e- aaa new-model

f- aaa authentication login default local

g- aaa authorization exec default local

h- line vty 0 4

i- login authentication default

[[email protected]-labgw]# scp [email protected]:running-config .


running-config 100% 4131 47.4KB/s 00:00

Connection to closed by remote host.

[[email protected]-labgw]#

Easy for you.. A couple of questions. Why not use a 2048 key? Got the part about setting up the Cisco device,

a)create a domain name so that the crypto key generate will work,

b)zeroize the old rsa keys on the Cisco box.

c - i) set up the AAA for SSH and SCP.

The next part, what is going on with the following statement:

[[email protected]-labgw]# scp [email protected]:running-config .


Are you entering the SCP service from the Cisco device and sending the running-config to the PC running some kind of SCP server?


cisco24x7 Mon, 03/30/2009 - 14:12

Yes, PC is running CentOS Linux version 5.2.

Host "NEO-labgw" is a CentOS Linux box which has scp/sftp built-in by default

cisco24x7 Mon, 03/30/2009 - 15:47

My solution also works on Windows solution as well, if you use pscp.exe. One thing to keep in mind is that if you use "pscp.exe" for scp, you need to use the "-pscp" option, like this:

C:\temp>pscp.exe -scp [email protected]:running-config .

Using keyboard-interactive authentication.


running-config | 4 kB | 4.0 kB/s | ETA: 00:00:00 | 100%


Again, easy right?

Still no go.

C:\PuTTY>pscp -scp -v [email protected]:running-config

Where is the cisco device.

I get the usage info when trying to do it.

C:\PuTTY>pscp -scp -v [email protected]:running-config

PuTTY Secure Copy client

Release 0.60

Usage: pscp [options] [user@]host:source target

pscp [options] source [source...] [user@]host:target

pscp [options] -ls [user@]host:filespec


-V print version information and exit

-pgpfp print PGP key fingerprints and exit

-p preserve file attributes

-q quiet, don't show statistics

-r copy directories recursively

-v show verbose messages

-load sessname Load settings from saved session

-P port connect to specified port

-l user connect with specified username

-pw passw login with specified password

-1 -2 force use of particular SSH protocol version

-4 -6 force use of IPv4 or IPv6

-C enable compression

-i key private key file for authentication

-noagent disable use of Pageant

-agent enable use of Pageant

-batch disable all interactive prompts

-unsafe allow server-side wildcards (DANGEROUS)

-sftp force use of SFTP protocol

-scp force use of SCP protocol

I had debug enabled on the device but nothing showed up. My guess is that the command never ran on the Windows box.

This is a helpful page on the use of putty:

I am getting closer though. I got the following error from putty:

C:\PuTTY>pscp -scp [email protected]:running-config c:\putty

[email protected]'s password:

Privilege denied.

This also was verified with some debug on the network device. I am set to AAA with 15 privilege. I guess something else is needed for the SCP part..

THOMAS KRUEGER Sat, 03/15/2014 - 03:47

I know this post is 5 years old, but found it as I ran into the same issue.
For me pscp works now with an ASR1006

C:\PuTTY>pscp -scp -v [email protected]:running-config .

You forgot the "dot" at the end of your command (cisco24x7 has it in his post). It is essential, as this is for target. 
This helped ab bit regarding pscp.
But as you pointed out

C:\PuTTY>pscp -scp [email protected]:running-config c:\putty

did work neither, I asume there was an additional issue with scp server konfig on your router.

Did you solve this in the end?

ncowger Tue, 02/16/2016 - 10:05

I know this is an old post, but this method doesn't seem to currently work. ASA version 9.2(4). It looks like the ASA is looking for "running-config" from the flash: or disk0:.  In order to get the running-config you need to call out the "system:" directory first.  This command works for me from a bash command prompt:

scp [email protected]:system://running-config .


scp [email protected]:system://running-config newfilename.cfg


This Discussion