Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Save run to VPN connected tftp?

Running ASA v8.x. I'm trying to save the run to a TFTP server that's connected via a VPN tunnel. I have "management-interface inside" set up so I can get remote access via ASDM, but I'm not sure how to get TFTP to work. I defined the tftp client in configuration>Device management>management access>file access>tftp client to be the IP of my vpn connected tftp server and set it to "Inside", but it just times out. I don't see any denials in the logs.

I'm probably missing something basic, but I assume others have tried to save their running config to a central TFP server, not?

Thanks in advance.



Re: Save run to VPN connected tftp?

Hi Steve,

you almost there, this is what I understand in your post, you have a tftp server running on the vpn client machine, and when you vpn into your network you want to copy the asa configuration into that tftp server, please let me know if this is not correct but if the above is so you need to do few things in this scenario.

on the asa you have to define a tftp server and path. assume you have created a folder called root in tftp server , and assume VPN pool network is



tftp-server inside :\root

thats it

once you vpn in and successfully connect you need to stop and restart tftp server on that machine so that tftp can also bind the ip assign by the ASA RA pool, so tftp udp port 69 will be listening on two IP addresses the local NIC of the PC and the VPN RA virtual IP.

once you have that then try copying running config to tftp

note the following:

when it ask you in the field bellow, you need to specify the RA client Virtual IP of where tftp is running off.

Address or name of remote host []?

asa#copy running-config tftp

Source filename [running-config]?

Address or name of remote host []?

Destination filename []? asa_config _test9

Cryptochecksum: 913690bd 97637c7a aa5060dc 049c1919


if your scenario is a vpn tunnel same principle applies other than permitting udp for tftp in your nonat acl on that l2l tunnel.



Community Member

Re: Save run to VPN connected tftp?


I'm so sorry, I left out one very important fact. This is on a site-to-site VPN, not a VPN connected client. My TFP server is running on a machine across a VPN tunnel away from the ASA.

Thanks so far!


Community Member

Re: Save run to VPN connected tftp?

Hi, I'm trying to accomplish this as well. Were you able to find a resolution?

It appears the write net tftp command is not triggering the crypto map, even though the crypto ACL parameters include the destination TFTP server.

One thing I've considered is that my crypto policies are applied to the outside interface. Perhaps I need one on the inside interface as well...

Community Member

Re: Save run to VPN connected tftp?

Nope, sorry. I basically am working around it by putting tftp up temporarily on the inside interface on a box I have available there. :-(

CreatePlease to create content