In today’s blog installment, I’ll go over something that I tripped over by accident. This is going to come as old-hat to very experienced ASA admins, but every now and then I find a little trick that saves me loads of time.
If you live and breathe in a data-center environment, you may not have any other kind of access to your Cisco ASA other than SSH. This presents a problem when it comes transferring IOS images, config files, and packet captures to and from the managed device. So normally, we might pull out a tftp server or an ftp server, but the insecure nature of both of these protocols I find less then attractive. In addition to that, it’s one more server or service that needs to be configured and to use these protocols securely is a pain at best.
While looking for something completely unrelated to file transfers, i stumbled across the following command:
ssh scopy enable
This command turns on the ability to transfer files using scp across an SSH tunnel to the device. You of course will need to be able to ssh to the device before you can copy files with scp.
So, assume that I am at 192.168.1.10 and I have a route to the ASA at 10.0.0.1 though the inside interface of the asa.
On the ASA, I would need to enable ssh access to my host
Then I enable scp
That’s all there is to it. Assuming you can ssh to the ASA, you can now copy files to and from it.
Windows folks will need to download a scp client. Here is a free one. Mac and Linux users have an scp client built in.
Now, on my ASA I have a packet capture that I saved to flash called “capture.pcap” that I want to copy to the desktop of my Mac.
The syntax is: scp username@asa-ip:source-filename destination-location
scp firstname.lastname@example.org:cap1.pcap ~/Desktop
Output: cap1.pcap 4% 678KB 52.0KB/s 05:06 ETA
scp works in the other direction as well. Yes, you can upload files to your ASA.
The syntax is scp source-filename username@asa-ip:destination-filename
Output: config.bak 100% 39 0.0KB/s 00:00
That’s it! Yes, you can download and upload direct to your ASA without the need for TFTP or FTP servers or a bastion environment! I hope it saves you loads of time and trouble as it has for me.
EDIT: If you are looking for a way to scp from a Windows machine, Putty SCP works great with the ASA!