01-12-2006 03:41 PM - edited 02-21-2020 02:11 PM
I am attempting to upgrade a PIX IOS remotely over a VPN tunnel.
The problem seems to be that the TFTP command attempt to download the file thru the outside interface rather than the tunnel.
copy tftp://192.168.72.167/pix635.bin flash:image
copying tftp://192.168.72.167/pix635.bin to flash:image
tftp: Timed out attempting to connect
Image not installed
If I ping the TFTP server "ping x.x.x.x" then I get no replies but if I do "ping inside x.x.x.x" then I get replies.
How can I tell TFTP to go over the tunnel?
I tried to add a static route to the tftp server by pointing it to the inside interface but it didn't work
Route inside tftp-ip 255.255.255.255 inside-intrerface-ip
I don't have an internal router behind the PIX at the remote site to route too and back in.
I also tried with ciscoworks RME 4.0.2 but got the same result.
Thanks
01-14-2006 08:21 AM
with the local pix current config,
access-list no_nat permit ip 192.168.72.0 255.255.255.0
access-list crypto permit ip 192.168.72.0 255.255.255.0
the crypto acl needs to include the remote pix outside interface. i.e.
access-list crypto permit ip 192.168.72.0 255.255.255.0 host
further, apply the same logic on the remote pix. i.e. to add its own public interface ip as part of the crypto acl.
the issue occurs because the pix itself doesn't consider as part of the vpn. so when the pix tries to connect to the tftp server, it fails. so by including the remote pix outside interface as part of the vpn, the issue should be resolved.
01-14-2006 06:12 PM
Makes sense, but unfortunately this won't work for us because the remote PIX is using DHCP so I can't tell what the outside IP is going to be and the other side is a 3030 concentrator.
And to add to the problem, the remote pix is also using EzVPN to connect back to the 3030.
Thanks anyway
01-20-2006 11:39 AM
The following have worked well for me on IOS routers.
1. Enable FTP server on the router so that you can connect to it through the tunnel. You basically "push" the image instead of having the router pull it.
2. Use secure copy (scp) to pull the image from host running ssh. This works because you can issue the "ip ssh source-interface" command to force ssh to use a specified interface as the source. This means that the scp traffic will be NATed/tunneled/whatever according to your rules.
I realize that these are for router IOS upgrades, but they may point you in the right direction on the PIX. It's been a little bit since I touched PIX OS 6.3 and I honestly can't remember if the above capabilities existing in that version.
03-21-2006 07:00 AM
You need to ensure that the tftp uses the "inside" interface.
In Conf mode, type:
tftp-server inside "ip address of tftp server" "path of tftp files (eg-c:\tftp)"
Try that
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: