Does your 2911 have the security license necessary for the IOS ZBFW features? "show license feature" from the cli.
More details here:
It shows 3 permanent licenses for the CISCO2911/K9 as "Active, In Use" and "DEPLOYED":
According to that link it should be covered under SECK9, correct? (SECK9 = securityk9 ?)
Yes, SECK9 is the Security license including payload encryption technology.
I should have asked - you are running the full CCP PC-based version - not the Express version. The Express version doesn't allow for nythign beyond the most basic setup. 2.7 is the most current PC-based version.
No, I know about the Express version and this is not it. I was running 2.6 but downloaded and upgraded to 2.7 which does the same thing. I have access to EVERYTHING it seems EXCEPT the firewall wizard. Playing around with several Java versions and IE settings I was able to see the IPS screens others complained about that weren't previously working, which I thought would allow the firewall wizard also, but it did not. I've tried this on both a Windows 7 64-bit PC running IE11 and a Windows XP Pro PC running IE9. So far, no luck with either.
Nothing special beyond the http server (or preferably secure-server) need to be enabled on the router for CCP. Given that you have the Securityk9 image license running, you should be able to setup firewall features.
Here's one of mine:
#show license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
ipbasek9 no no no yes no
securityk9 yes yes no yes yes
uck9 yes yes no no yes
datak9 yes yes no no yes
gatekeeper yes yes no no yes
SSL_VPN yes yes no no yes
ios-ips-update yes yes yes no yes
SNASw yes yes no no yes
hseck9 yes no no no no
cme-srst yes yes no no yes
WAAS_Express yes yes no no yes
UCVideo yes yes no no yes
#sh ver | i bin
System image file is "flash0:/c2900-universalk9-mz.SPA.152-3.T3.bin"
And the Wizard (basic or advanced) runs fine (click image to zoom). It is already configured with IOS ZBFW but that's not a prerequisite to launch the wizard - just the opposite in fact: you use the wizard for initial setup.
There are a million versions of Java, and CCP & SDM also have been sensitive to Java versions and runtime environments. Also, there are several versions of IE and those are sensitive to settings. Which versions are you running? What is your EXACT configuration (OS/Java/IE/CCP/etc.) I even tried in a virtual machine running Win7SP1-32 with IE9, then IE10 but again, everything works now EXCEPT the firewall wizard. Does it matter that this is being done from an outside connection? Do I need to open something on our firewall here? I checked traffic and nothing is being blocked. It's all passing on port 443 and even to a Cisco corporate IP address on port 80. I still don't get it.
I am running Windows 7 Ultimate 64-bit SP1 with IE 11.0.2. Windows and IE are patched to the latest available patches.
My Java 7 is at update 45 vs. the newer update 51 since the latter breaks some other things (like ASDM).
My CCP is 2.7.
No Java runtime parameters are set. I am a local adminstrator on my system so all executables I launch directly or indirectly run as admin. The system is not joined to a domain and thus has no GPOs.
Wow... well so far I've tried it on 4 different machines including a VM, 3 different networks - one which was not blocked by a firewall (an external network) and 2 other subnets (which are also 'external' since the router is considered remote even though it sits here in our office), Windows 7 32 and 64 bit, several different versions of Java including 7/45, several versions of IE and STILL no luck. Can you manipulate Firefox to be used with this or is it locked into IE? I can't figure this out.... FRUSTRATING
It's very tightly locked into and dependent upon IE as it uses the IE DLLs to run.
I guess you can just use the CLI. After all - everybody just loves that MQC command structure.
I'd also investigate whether there's something going on at the router itself. Things I would look at include:
- Has anyone modified the CP Express stuff that's on the box?
- What IOS is it running?
- Can you enter the ZBFW commands even from CLI?
If you have support on the router, you should be able to open a TAC case as you are unable to use one of the supported configuration methods at this point.
1. No one has touched the CCP Express (to add, now I can't even get to that - not that I really need to, but apparently it does not work well with IE11 either)
2. ROM: System Bootstrap, Version 15.0(1r)M15
3. I'm sure I can enter commands, but I haven't tried the ZBFW commands yet since I was going to first enable it via this wizard and modify it as necessary, since we're currently using a VPN on it already and the wizard, from what I understand, maintains that without interruption.
Is there a set list of commands somewhere I can copy that will enable this (isn't that what the wizard is doing anyway?) where I can tailor them to our environment before applying them on the router?
Sure, it's all covered in the configuration guide.
Here's a link that includes several examples as well as the details on each command: