how to copy tftp to remote site through VPN

Answered Question
May 15th, 2009

I know by setting management interface ASA can ping or telnet/SSH to the inside interface of the remote ASA through VPN. But it doesn't work for TFTP. Is there a way to copy config to TFP server in remote site through VPN and using source interface as local inside interface?

I have this problem too.
1 vote
Correct Answer by JORGE RODRIGUEZ about 7 years 6 months ago

Your welcome , don't forget to rate helpfull posts.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
JORGE RODRIGUEZ Sun, 05/17/2009 - 00:23


TFTP should work through VPN, I have tested through RA VPN. I do not see a reason why should not work through l2l vpn scenario.

In RA vpn scenario where client runs the tftp server.

In RA VPN test scenario,VPN client gets IP assigned.

asa5500fw(config)#tftp-server inside

tftp-server f:\

asa5500fw(config)# copy running-config tftp:

Source filename [running-config]?

Address or name of remote host []?

Destination filename []? running-config

Cryptochecksum: 67f2f1a3 c31d5a9b 0f6b1f6d 2f21766d


26019 bytes copied in 3.460 secs (8673 bytes/sec)


In your scenario with l2l vpn as long the tftp server IP on other side of tunnel is part of the IPsec tunnel policy try this bellow.

tftp-server outside


michaelli888 Tue, 05/19/2009 - 07:28

Hi Jorge,

Thanks for replying. I think I may not describ my question clearly. The senario I'm asking is a IPSEC site to site VPN, not a Remote access VPN.


JORGE RODRIGUEZ Wed, 05/20/2009 - 10:14

Hi Michael, yes I did read the first post in l2l, however the test is in RA VPN, but the two similarities that both RA and L2L do have is Ipsec.

the test conducted was on Ipsec RA with tftp server at other end in the case of RA client being the tftp server.

So that being said I could assure the tftp will work on l2l vpn.

Have you tried my suggestions.


SiteA-L2L-SiteB tftpserver in SiteB , you are copying asa congif to tftpserver as long tftp server in siteB is part of the tunnel policy should work, let me know if still no joy to then lab this in L2L scenario.

asa(config)#tftp-server outside


asa#copy config tftp


michaelli888 Wed, 05/20/2009 - 11:50

It doesn't work for me. please see the asa output below.

asa(config)# ping inside

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 80 percent (4/5), round-trip min/avg/max = 290/317/370 ms

asa(config)# tftp outside /

WARNING: 'outside' interface has the lowest security level (0).

asa(config)# copy run tftp

Source filename [running-config]?

Address or name of remote host []?

Destination filename []?

Cryptochecksum: e4582635 53632293 22b6aa9f 481e2383


%Error writing tftp://;int=outside (Timed out attempting to connect)


JORGE RODRIGUEZ Wed, 05/20/2009 - 12:25

Sounds as it could be tftp server, do you see any hits in the tftp server logs? how about asdm logs is tftp port 69 seen in the l2l traffic?


what tftp server app do you use, is it a windows APP? if so try using complete path

say the root is f: drive of tftp server.

tftp-server outside f:\

michaelli888 Wed, 05/20/2009 - 12:44

Your 'Tftp-server interface' command remind me that ipsec traffic is somehow different. So I set 'tftp-server inside /' on the asa and it works now.

Thanks for your help Jorge.

michaelli888 Wed, 05/20/2009 - 13:08

disccuss on this issue further, the following command works and it copies config to tftp server in remote site.

asa(config)# copy startup-config tftp

Address or name of remote host []?

Destination filename []? ttt


12681 bytes copied in 8.50 secs (1585 bytes/sec)

however if I put the full path in the copy command it still fails, why? I cannot use prior command because the following command is hard coded in software, how to make it work?

asa(config)# copy startup-config tftp://

Address or name of remote host []?

Destination filename [ttt]?


%Error writing tftp:// (Timed out attempting to connect)


This Discussion