I was looking into doing PIX code upgrades over a VPN tunnel and finally came up with the right commands in order to do this. The first problem I encountered in trying to do this was by using the outside public IP to initiate the upgrade (via TFTP) over the tunnel. I had marked the outside IP as ‘interesting’ traffic so traffic initiated on the PIX to the TFTP server would be tunneled over the VPN to the concentrator and on to the server. However, I hadn’t thought out the return traffic from the TFTP server in that it would have a destination IP of this public IP and would go right out our default gateway to the internet. It seemed the easiest way to make this all work would be to force the traffic to come from the inside IP of the PIX, over the tunnel, through the concentrator and to the server. That way the return traffic to that RFC1918 IP of the inside interface of the PIX would be routed back through the concentrator as internal routes point it that way. Here’s what I ended doing:

1) Copy the PIX Firewall binary image (pixnnn.bin) to the /tftpboot directory on the TFTP server.

2) Issue the ‘tftp-server’ command on the PIX:

pixfirewall> en
Password: ************
pixfirewall> config t
pixfirewall(config)# write mem
pixfirewall(config)# tftp-server inside [tftp-server IP] [pix hostname]

3) Issue the management-access command:

pixfirewall(config)# management-access inside

4) Copy the existing configuration to the TFTP server:

pixfirewall(config)# write net

5) Retreive the new PIX binary file:

pixfirewall(config)# exit
pixfirewall# copy tftp flash
Address or name of remote host [tftp-server IP]?
Source file name [cdisk]? pix635.bin
copying tftp://[tftp-server IP]/pix635.bin to flash:image
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!! [...]
Received 2101248 bytes
Erasing current image
Writing 1978424 bytes of image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [...]
Image installed

6) Reload:

pixfirewall# write mem
pixfirewall# reload
Proceed with reload? [confirm]