Cisco, Microsoft, and Linux

Copy files to and from the Cisco ASA securely

Posted by on Dec 8th, 2010 in Cisco | 0 comments

In today’s blog installment, I’ll go over something that I tripped over by accident. This is going to come as old-hat to very experienced ASA admins, but every now and then I find a little trick that saves me loads of time.

If you live and breathe in a data-center environment, you may not have any other kind of access to your Cisco ASA other than SSH. This presents a problem when it comes transferring IOS images, config files, and packet captures to and from the managed device. So normally, we might pull out a tftp server or an ftp server, but the insecure nature of both of these protocols I find less then attractive. In addition to that, it’s one more server or service that needs to be configured and to use these protocols securely is a pain at best.

While looking for something completely unrelated to file transfers, i stumbled across the following command:

ssh scopy enable

This command turns on the ability to transfer files using scp across an SSH tunnel to the device. You of course will need to be able to ssh to the device before you can copy files with scp.

So, assume that I am at 192.168.1.10 and I have a route to the ASA at 10.0.0.1 though the inside interface of the asa.

On the ASA, I would need to enable ssh access to my host

ssh 192.168.1.10 255.255.255.255 inside

Then I enable scp

ssh scopy enable

That’s all there is to it. Assuming you can ssh to the ASA, you can now copy files to and from it.

Windows folks will need to download a scp client. Here is a free one. Mac and Linux users have an scp client built in.

Now, on my ASA I have a packet capture that I saved to flash called “capture.pcap” that I want to copy to the desktop of my Mac.

The syntax is:   scp  username@asa-ip:source-filename  destination-location

  • The ASA filename is: cap1.pcap
  • The ASA IP address is: 10.0.0.1
  • The directory on my Mac that I want to place the file in is my desktop: ~/Desktop

scp  aaron@10.0.0.1:cap1.pcap   ~/Desktop

Output: cap1.pcap   4%  678KB  52.0KB/s   05:06 ETA

scp works in the other direction as well. Yes, you can upload files to your ASA.

The syntax is scp  source-filename  username@asa-ip:destination-filename

  • The local filename on my Mac is on my desktop and called config.bak
  • The ASA IP address is: 10.0.0.1
  • I want to store this file on flash on the ASA
scp  ~/config.bak  aaron@172.26.26.1:config.bak

Output: config.bak  100%   39     0.0KB/s   00:00

That’s it! Yes, you can download and upload direct to your ASA without the need for TFTP or FTP servers or a bastion environment! I hope it saves you loads of time and trouble as it has for me.

EDIT: If you are looking for a way to scp from a Windows machine, Putty SCP works great with the ASA!

Leave a Reply

Powered by Wordpress | Designed by Elegant Themes