Upgrading IOS over the internet

There are many obvious reason to use FTP to upload an image, but the one I’m going to cover is transferring an IOS image across the internet using HTTP. This tutorial will work for FTP as well.

Referring to the image above, we want to upgrade the IOS on RTR-A. We will be accessing the IOS image that is on the web server with the address of 69.222.73.10. The command we use is
copy http://69.222.73.10/c3825-advsecurityk9-mz.124-25a.bin flash:

Now is where the fun starts! The first thing you may need to do is disable passive FTP on RTR-A. The default is to use passive FTP.
no ip ftp passive

Next run the copy command from above.
RTR-A#copy http://69.222.73.10/c3825-advsecurityk9-mz.124-25a.bin flash:
Destination filename [c3825-advsecurityk9-mz.124-25a.bin]? 
%Error opening http://69.222.73.10/c3825-advsecurityk9-mz.124-25a.bin (I/O error)

Well that’s no good. What’s going on? Checking the ACL applied to the public interface, we some denied traffic.
057557: Jul 1 12:43:37 CST: %SEC-6-IPACCESSLOGP: list 102 denied tcp 69.222.73.10(80) -> 75.50.95.80(20651), 1 packet

Ahh, we need to create an ACE to allow the traffic. But take a look at the destination address. In this case it’s 75.50.95.80 which is the PAT address for internal clients, not the interface IP of 75.50.95.72! Add the ACE to the ACL.
permit tcp host 69.222.73.10 host 75.50.95.80 eq 80

Try the copy again.
RTR-A#copy http://69.222.73.10/c3825-advsecurityk9-mz.124-25a.bin flash:
Destination filename [c3825-advsecurityk9-mz.124-25a.bin]? 
Loading http://69.222.73.10/c3825-advsecurityk9-mz.124-25a.bin !!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
23372352 bytes copied in 344.504 secs (67843 bytes/sec)

Now it’s working! Don’t forget to verify the image.

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.