Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

copy tftp: startup-config via EzVPN on 831

Hi Gurus et al.

I've inherited a large group of routers and I'm working to modify the enable secret them. These are all cisco 831 routers running 12.3(8)YA1 using EzVPN to connect to our WAN. The startup-config is generic in nature and is used in connecting to a CNS server which provides the running-config specific to each router. I'm trying to determine how to modify the startup-config without altering its generic nature (i.e. can't use copy running-config startup-config). The only way I can think of to do this would be to "copy tftp: startup-config" - but I can't seem to get the tftp traffic to route through the ipsec tunnel (instead of using the tubes and being blocked by our firewall). If there's a better way to modify the startup-config I'm all ears. Please keep in mind that I do not control the VPN concentrator and that these routers are very remote from me.

Our router configurations come in two flavors: client mode and NEM, with clients using DHCP for their internal address, while NEM routers are statically assigned a pool of 8 addresses.

Coming from an Linux/iptables world (forgive the heresy) I expected to be able to just add a route through a tunnel interface, but I could not figure out how to do that (if it can be done).

The other idea I had was to bring up a loopback interface as an additional tunneling IF and add a route to that, but EzVPN won't allow more than one tunnel (and abandoning EzVPN is not an option).

Forgive my IOS noobishness, but is there a way to specify a source IP/IF for tftp requests? Would this permit the use of the ipsec tunnel as the route for such requests?

Am I trying to do this the hard way? I'm sure I'm coming at this from the wrong direction but I just don't know where else to look. If there's a FAQ on this somewhere I'd be happy to read it.

Thank you all for your time.


crypto ipsec client ezvpn crws-client

connect auto

group xxx key xxx

mode network-extension


username xxxx password xxxx

interface Ethernet0

ip address

no cdp enable

crypto ipsec client ezvpn crws-client inside

hold-queue 32 in

hold-queue 100 out

interface Ethernet1

ip address dhcp client-id Ethernet1

ip access-group xxx-admin in

duplex auto

no cdp enable

crypto ipsec client ezvpn crws-client

New Member

Re: copy tftp: startup-config via EzVPN on 831

Hello again.

After a night of rest and with a belly full of cinnamon rolls I discovered the solution to my problem:

(config)# ip tftp source-interface eth0

Thanks for looking.


CreatePlease login to create content