Upgrading IOS over the internet

There are many obvious reason to use FTP to upload an image, but the one I’m going to cover is transferring an IOS image across the internet using HTTP. This tutorial will work for FTP as well.

Referring to the image above, we want to upgrade the IOS on RTR-A. We will be accessing the IOS image that is on the web server with the address of The command we use is
copy flash:

Now is where the fun starts! The first thing you may need to do is disable passive FTP on RTR-A. The default is to use passive FTP.
no ip ftp passive

Next run the copy command from above.
RTR-A#copy flash:
Destination filename [c3825-advsecurityk9-mz.124-25a.bin]? 
%Error opening (I/O error)

Well that’s no good. What’s going on? Checking the ACL applied to the public interface, we some denied traffic.
057557: Jul 1 12:43:37 CST: %SEC-6-IPACCESSLOGP: list 102 denied tcp ->, 1 packet

Ahh, we need to create an ACE to allow the traffic. But take a look at the destination address. In this case it’s which is the PAT address for internal clients, not the interface IP of! Add the ACE to the ACL.
permit tcp host host eq 80

Try the copy again.
RTR-A#copy flash:
Destination filename [c3825-advsecurityk9-mz.124-25a.bin]? 
Loading !!!!!!!!!!!!!!!!!!!!!!
23372352 bytes copied in 344.504 secs (67843 bytes/sec)

Now it’s working! Don’t forget to verify the image.

Leave a Reply