Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Self generated packets


Using an ASA, I'm trying to TFTP to a remote site down a L2L VPN but cant work out how to get self generated packets down the VPN. The VPN is working perfectly for all forwarded traffic, the tftp server works, and the ASA can TFTP to local devices.

So far I have tried:

Setting "management-access inside"

Setting "tftp-server outside ..."

Thanks in advance,


Hall of Fame Super Silver

Self generated packets

It'd be a bit tricky but I believe you could add a /32 static route for the tftp server on the management interface for an inside router/gateway address. That gateway should then know to route to the remote site's netblock using the ASA inside interface and from there is should hit the cryptomap etc. and be IPsec-encapsulated into the VPN.

Otherwise the ASA will just try to send the traffic out the outside interface (thus initiating from the outside IP address) and it will not get encapsulated by IPsec and thus fail.

New Member

Re: Self generated packets

The above didn't work. I still havnt found a way to get the ASA to treat self generated traffic the same way as forwarded traffic which is a little frustrating but not vital.

I used SCP instead. Here my fix for those with the same issue:

* Type "ssh scopy enable" on each ASA's CLI

* Install 'shhpass' and 'expect' on a Linux box

* Create a shell script that looks like this-


if [ $1 = "Site1FW" ]; then

if [ $1 = "Site2FW" ]; then

#runs the expect script which will ssh into the remote ASA, enable scp and create a file called SCPconfbackup
/root/path/createbackupfile $REMOTE_IP

#scp into the remote firewall and pull down the config file. Save it in the TFTP folder with a timestamp.
sshpass -p 'Changeme' scp Username@$REMOTE_IP:disk0:SCPconfbackup /var/tftp/$1_backup$(date +"%d-%m-%Y")

#log that the script ran
echo "$1 autobackup script ran $(date)" >> /var/log/Autobackuplog

* Create another script that looks like this-


set REMOTE_IP [lindex $argv 0]

#log in to the ASA
spawn sshpass -p Changeme ssh Username@$REMOTE_IP

#enable up and copy the running-config to SCPconfbackup
expect ">"
send "enable\n"
expect "Password:"
send "ChangeMe\n"
expect "#"
send "conf t\n"
expect "#"
send "cop running-config disk0:SCPconfbackup\n"
expect "Source filename"
send "\n"
expect "Destination filename"
send "\n"
expect "%Warning:"
send "\n"
expect "#"
send "exit\n"
expect "#"
send "exit\n"

*Run the script with 'cron' eg.

@daily     /path/NameOfScript1 Site1FW

@hourly /path/NameOfScript1 Site2FW


This should work for most people assuming SSH already works between the server and ASA. I've already applied it to 3 sites with different ASA models etc with no changes needed.

CreatePlease to create content