how to copy tftp to remote site through VPN

Answered Question
May 15th, 2009
User Badges:

I know by setting management interface ASA can ping or telnet/SSH to the inside interface of the remote ASA through VPN. But it doesn't work for TFTP. Is there a way to copy config to TFP server in remote site through VPN and using source interface as local inside interface?

Correct Answer by JORGE RODRIGUEZ about 8 years 1 week ago

Your welcome , don't forget to rate helpfull posts.


Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
JORGE RODRIGUEZ Sun, 05/17/2009 - 00:23
User Badges:
  • Green, 3000 points or more

Michael,


TFTP should work through VPN, I have tested through RA VPN. I do not see a reason why should not work through l2l vpn scenario.


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/t.html#wp1498951


In RA vpn scenario where client runs the tftp server.


In RA VPN test scenario,VPN client gets IP 140.40.30.15 assigned.


asa5500fw(config)#tftp-server inside


tftp-server 140.40.30.15 f:\


asa5500fw(config)# copy running-config tftp:


Source filename [running-config]?


Address or name of remote host [140.40.30.15]?


Destination filename []? running-config

Cryptochecksum: 67f2f1a3 c31d5a9b 0f6b1f6d 2f21766d

!!!!!!!

26019 bytes copied in 3.460 secs (8673 bytes/sec)


/////////////////


In your scenario with l2l vpn as long the tftp server IP on other side of tunnel is part of the IPsec tunnel policy try this bellow.


tftp-server outside



Regards


michaelli888 Tue, 05/19/2009 - 07:28
User Badges:

Hi Jorge,

Thanks for replying. I think I may not describ my question clearly. The senario I'm asking is a IPSEC site to site VPN, not a Remote access VPN.


Regards,

JORGE RODRIGUEZ Wed, 05/20/2009 - 10:14
User Badges:
  • Green, 3000 points or more

Hi Michael, yes I did read the first post in l2l, however the test is in RA VPN, but the two similarities that both RA and L2L do have is Ipsec.


the test conducted was on Ipsec RA with tftp server at other end in the case of RA client being the tftp server.


So that being said I could assure the tftp will work on l2l vpn.



Have you tried my suggestions.


eg


SiteA-L2L-SiteB tftpserver in SiteB , you are copying asa congif to tftpserver as long tftp server in siteB is part of the tunnel policy should work, let me know if still no joy to then lab this in L2L scenario.


asa(config)#tftp-server outside


then


asa#copy config tftp



Regards


michaelli888 Wed, 05/20/2009 - 11:50
User Badges:

It doesn't work for me. please see the asa output below.


asa(config)# ping inside 192.168.11.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.11.10, timeout is 2 seconds:

?!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 290/317/370 ms

asa(config)# tftp outside 192.168.11.10 /

WARNING: 'outside' interface has the lowest security level (0).

asa(config)# copy run tftp


Source filename [running-config]?


Address or name of remote host [192.168.11.10]?


Destination filename []?

Cryptochecksum: e4582635 53632293 22b6aa9f 481e2383

!!!!

%Error writing tftp://192.168.11.10//;int=outside (Timed out attempting to connect)

asa(config)#

JORGE RODRIGUEZ Wed, 05/20/2009 - 12:25
User Badges:
  • Green, 3000 points or more

Sounds as it could be tftp server, do you see any hits in the tftp server logs? how about asdm logs is tftp port 69 seen in the l2l traffic?



[edit]

what tftp server app do you use, is it a windows APP? if so try using complete path

say the root is f: drive of tftp server.


tftp-server outside f:\

michaelli888 Wed, 05/20/2009 - 12:44
User Badges:

Your 'Tftp-server interface' command remind me that ipsec traffic is somehow different. So I set 'tftp-server inside /' on the asa and it works now.


Thanks for your help Jorge.

Correct Answer
JORGE RODRIGUEZ Wed, 05/20/2009 - 12:49
User Badges:
  • Green, 3000 points or more

Your welcome , don't forget to rate helpfull posts.


Regards


michaelli888 Wed, 05/20/2009 - 13:08
User Badges:

disccuss on this issue further, the following command works and it copies config to tftp server in remote site.


asa(config)# copy startup-config tftp


Address or name of remote host [192.168.11.10]?


Destination filename []? ttt

!!!!

12681 bytes copied in 8.50 secs (1585 bytes/sec)


however if I put the full path in the copy command it still fails, why? I cannot use prior command because the following command is hard coded in software, how to make it work?


asa(config)# copy startup-config tftp://192.168.11.10/ttt


Address or name of remote host [192.168.11.10]?


Destination filename [ttt]?

!!!!

%Error writing tftp://192.168.11.10/ttt (Timed out attempting to connect)

Actions

This Discussion