Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


Hi all,

I am trying to use TFTP to copy a capture off of a remote PIX to a TFTP server that is located on the HQ private LAN. An IPSec tunnel exists between the two sites, and I have added the outside interface of the remote PIX to the VPN. The server is pingable from the remote PIX, but the TFTP session will not connect.

The remote PIX is running PIX OS 6.3(1) and the HQ PIX is running 7.2(1).

I have seen some similar queries on these forums over the last couple of years, but no definitive answers. If anyone can give me a hand here, i'd greatly appreciate it.

Thanks in advance,


New Member

Re: TFTP over PIX to PIX IPSec VPN?

Did you specify the TFTP inthe PIX config?

tftp-server outside X.X.X.X

New Member

Re: TFTP over PIX to PIX IPSec VPN?

Yes, I've tried that. Unfortunately, that did not seem to help.

New Member

Re: TFTP over PIX to PIX IPSec VPN?

Hi Ryan,

TFTP uses random UDP ports to transfer data. This protocol uses UDP port 69 only to initiate transfer. To enable TFTP in your network please try the following:

1. Configure TFTP fixup on both firewalls using the following command:

fixup protocol tftp 69

2. Enable traffic to server's UDP port 69 from your remote firewall

3. Specify TFTP server address on the remote firewall using 'tftp-server' command.

If it will not help, try to permit _all_ UDP traffic in both directions between your remote PIX and the server. If you don't want to open all UDP ports, you can use TFTP server which support data transfer through UDP port 69 only (for example, the TFTP server which we develop does it). It is enough to open only UDP port 69 in this case.



Oleg Malkov

WinAgents Software Group

New Member

Re: TFTP over PIX to PIX IPSec VPN?

Thanks for the suggestions, Oleg, but I don't think this will help me out. I need the TFTP transmission to be within the confines of the already-established VPN tunnel, as I don't want to send the capture unencrypted across the Internet.