Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to upgrade PIX IOS over VPN Tunnel

I am attempting to upgrade a PIX IOS remotely over a VPN tunnel.

The problem seems to be that the TFTP command attempt to download the file thru the outside interface rather than the tunnel.

copy tftp:// flash:image

copying tftp:// to flash:image

tftp: Timed out attempting to connect

Image not installed

If I ping the TFTP server "ping x.x.x.x" then I get no replies but if I do "ping inside x.x.x.x" then I get replies.

How can I tell TFTP to go over the tunnel?

I tried to add a static route to the tftp server by pointing it to the inside interface but it didn't work

Route inside tftp-ip inside-intrerface-ip

I don't have an internal router behind the PIX at the remote site to route too and back in.

I also tried with ciscoworks RME 4.0.2 but got the same result.



Re: how to upgrade PIX IOS over VPN Tunnel

with the local pix current config,

access-list no_nat permit ip

access-list crypto permit ip

the crypto acl needs to include the remote pix outside interface. i.e.

access-list crypto permit ip host

further, apply the same logic on the remote pix. i.e. to add its own public interface ip as part of the crypto acl.

the issue occurs because the pix itself doesn't consider as part of the vpn. so when the pix tries to connect to the tftp server, it fails. so by including the remote pix outside interface as part of the vpn, the issue should be resolved.

New Member

Re: how to upgrade PIX IOS over VPN Tunnel

Makes sense, but unfortunately this won't work for us because the remote PIX is using DHCP so I can't tell what the outside IP is going to be and the other side is a 3030 concentrator.

And to add to the problem, the remote pix is also using EzVPN to connect back to the 3030.

Thanks anyway

New Member

Re: how to upgrade PIX IOS over VPN Tunnel

The following have worked well for me on IOS routers.

1. Enable FTP server on the router so that you can connect to it through the tunnel. You basically "push" the image instead of having the router pull it.

2. Use secure copy (scp) to pull the image from host running ssh. This works because you can issue the "ip ssh source-interface" command to force ssh to use a specified interface as the source. This means that the scp traffic will be NATed/tunneled/whatever according to your rules.

I realize that these are for router IOS upgrades, but they may point you in the right direction on the PIX. It's been a little bit since I touched PIX OS 6.3 and I honestly can't remember if the above capabilities existing in that version.

New Member

Re: how to upgrade PIX IOS over VPN Tunnel

You need to ensure that the tftp uses the "inside" interface.

In Conf mode, type:

tftp-server inside "ip address of tftp server" "path of tftp files (eg-c:\tftp)"

Try that