Update PIX in remote location

andre.frost · ‎07-01-2003

Hi,

my question is how to upgrade software on PIXes running as EZVPN client in a remote location/office. This locatios usualy have no server for TFTP or HTTP/S. With management-access command this protocols are not supportet.

Who can help, is there a solution?

Thanks

Andre

hadbou · ‎07-08-2003

If you are using pix version 5.1 and above use the command "copy tftp flash" command.

l.mourits · ‎07-08-2003

Let me see if I understand your problem. I think what you want to do is upgrade a PIX from another location via the outside interface. This is not possible, cause you cannot telnet to the outside interface, only when using a VPN client it is possible to telnet (via the VPN tunnel) to the outside interface of the PIX.

Problem is that if you start an upgrade with the command:

copy tftp flash:image

this will not work, because the PIX terminates all security associations during this upgrade, and this results in loosing your connection with the PIX. I have tried it once, and ended up by driving to the remote location with my laptop in the back of the car :-(

So, what you want to achieve is not possible at this moment, however, in one of the recent threads at this forum, there has been a discussion about the default behavior of the PIX, especially about the limitation that you can not telnet to the outside interface (without a VPN tunnel).

The Cisco engineer involved in this discussion has done a feature request for this one, so, maybe with the next major release update it will be possible (but you would have to go to the location to install this new image first, so, it does not solve your problem for now).

Question, is there no Cisco switch or router in place at this location, which has enough flash space available, cause maybe you can use this one as a tftp server. But it´s just an idea :-)

Kind Regards,

Leo

deepakd · ‎07-15-2003

How about initiating SSH to PIX?