cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
392
Views
1
Helpful
4
Replies

how to upgrade PIX IOS over VPN Tunnel

bdecout
Level 1
Level 1

I am attempting to upgrade a PIX IOS remotely over a VPN tunnel.

The problem seems to be that the TFTP command attempt to download the file thru the outside interface rather than the tunnel.

copy tftp://192.168.72.167/pix635.bin flash:image

copying tftp://192.168.72.167/pix635.bin to flash:image

tftp: Timed out attempting to connect

Image not installed

If I ping the TFTP server "ping x.x.x.x" then I get no replies but if I do "ping inside x.x.x.x" then I get replies.

How can I tell TFTP to go over the tunnel?

I tried to add a static route to the tftp server by pointing it to the inside interface but it didn't work

Route inside tftp-ip 255.255.255.255 inside-intrerface-ip

I don't have an internal router behind the PIX at the remote site to route too and back in.

I also tried with ciscoworks RME 4.0.2 but got the same result.

Thanks

4 Replies 4

jackko
Level 7
Level 7

with the local pix current config,

access-list no_nat permit ip 192.168.72.0 255.255.255.0

access-list crypto permit ip 192.168.72.0 255.255.255.0

the crypto acl needs to include the remote pix outside interface. i.e.

access-list crypto permit ip 192.168.72.0 255.255.255.0 host

further, apply the same logic on the remote pix. i.e. to add its own public interface ip as part of the crypto acl.

the issue occurs because the pix itself doesn't consider as part of the vpn. so when the pix tries to connect to the tftp server, it fails. so by including the remote pix outside interface as part of the vpn, the issue should be resolved.

Makes sense, but unfortunately this won't work for us because the remote PIX is using DHCP so I can't tell what the outside IP is going to be and the other side is a 3030 concentrator.

And to add to the problem, the remote pix is also using EzVPN to connect back to the 3030.

Thanks anyway

jstrine
Level 1
Level 1

The following have worked well for me on IOS routers.

1. Enable FTP server on the router so that you can connect to it through the tunnel. You basically "push" the image instead of having the router pull it.

2. Use secure copy (scp) to pull the image from host running ssh. This works because you can issue the "ip ssh source-interface" command to force ssh to use a specified interface as the source. This means that the scp traffic will be NATed/tunneled/whatever according to your rules.

I realize that these are for router IOS upgrades, but they may point you in the right direction on the PIX. It's been a little bit since I touched PIX OS 6.3 and I honestly can't remember if the above capabilities existing in that version.

pot51e
Level 1
Level 1

You need to ensure that the tftp uses the "inside" interface.

In Conf mode, type:

tftp-server inside "ip address of tftp server" "path of tftp files (eg-c:\tftp)"

Try that

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: