It shows 3 permanent licenses for the CISCO2911/K9 as "Active, In Use" and "DEPLOYED":

- ipbasek9

- uck9

- securityk9

According to that link it should be covered under SECK9, correct? (SECK9 = securityk9 ?)

Yes, SECK9 is the Security license including payload encryption technology.

I should have asked - you are running the full CCP PC-based version - not the Express version. The Express version doesn't allow for nythign beyond the most basic setup. 2.7 is the most current PC-based version.

Download link.

I use it fine on Win 7 64-bit with IE 11 once I make sure to add http://127.0.0.1 to the compatibility view settings. (Reference)

No, I know about the Express version and this is not it.  I was running 2.6 but downloaded and upgraded to 2.7 which does the same thing.  I have access to EVERYTHING it seems EXCEPT the firewall wizard.  Playing around with several Java versions and IE settings I was able to see the IPS screens others complained about that weren't previously working, which I thought would allow the firewall wizard also, but it did not.  I've tried this on both a Windows 7 64-bit PC running IE11 and a Windows XP Pro PC running IE9.  So far, no luck with either.

Does something have to be enabled on the rouer itself?  I've even tried IE8 wit Java 6u11.  Same thing.  All works except the Firewall wizard.

Nothing special beyond the http server (or preferably secure-server) need to be enabled on the router for CCP. Given that you have the Securityk9 image license running, you should be able to setup firewall features.

Here's one of mine:

#show license feature
Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse
ipbasek9                 no           no          no             yes      no        
securityk9               yes          yes         no             yes      yes       
uck9                     yes          yes         no             no       yes       
datak9                   yes          yes         no             no       yes       
gatekeeper               yes          yes         no             no       yes       
SSL_VPN                  yes          yes         no             no       yes       
ios-ips-update           yes          yes         yes            no       yes       
SNASw                    yes          yes         no             no       yes       
hseck9                   yes          no          no             no       no        
cme-srst                 yes          yes         no             no       yes       
WAAS_Express             yes          yes         no             no       yes       
UCVideo                  yes          yes         no             no       yes       
#sh ver | i bin
System image file is "flash0:/c2900-universalk9-mz.SPA.152-3.T3.bin"

And the Wizard (basic or advanced) runs fine (click image to zoom). It is already configured with IOS ZBFW but that's not a prerequisite to launch the wizard - just the opposite in fact: you use the wizard for initial setup.

There are a million versions of Java, and CCP & SDM also have been sensitive to Java versions and runtime environments.  Also, there are several versions of IE and those are sensitive to settings.  Which versions are you running?  What is your EXACT configuration (OS/Java/IE/CCP/etc.)  I even tried in a virtual machine running Win7SP1-32 with IE9, then IE10 but again, everything works now EXCEPT the firewall wizard.  Does it matter that this is being done from an outside connection?  Do I need to open something on our firewall here?  I checked traffic and nothing is being blocked.  It's all passing on port 443 and even to a Cisco corporate IP address on port 80.  I still don't get it.

I am running Windows 7 Ultimate 64-bit SP1 with IE 11.0.2. Windows and IE are patched to the latest available patches.

My Java 7 is at update 45 vs. the newer update 51 since the latter breaks some other things (like ASDM).

My CCP is 2.7.

Are you using any runtime parameters for Java?

No Java runtime parameters are set. I am a local adminstrator on my system so all executables I launch directly or indirectly run as admin. The system is not joined to a domain and thus has no GPOs.

Wow... well so far I've tried it on 4 different machines including a VM, 3 different networks - one which was not blocked by a firewall (an external network) and 2 other subnets (which are also 'external' since the router is considered remote even though it sits here in our office), Windows 7 32 and 64 bit, several different versions of Java including 7/45, several versions of IE and STILL no luck. Can you manipulate Firefox to be used with this or is it locked into IE?  I can't figure this out.... FRUSTRATING

It's very tightly locked into and dependent upon IE as it uses the IE DLLs to run.

I guess you can just use the CLI. After all - everybody just loves that MQC command structure.

I'd also investigate whether there's something going on at the router itself. Things I would look at include:

- Has anyone modified the CP Express stuff that's on the box?

- What IOS is it running?

- Can you enter the ZBFW commands even from CLI?

If you have support on the router, you should be able to open a TAC case as you are unable to use one of the supported configuration methods at this point.

1. No one has touched the CCP Express (to add, now I can't even get to that - not that I really need to, but apparently it does not work well with IE11 either)

2. ROM: System Bootstrap, Version 15.0(1r)M15

3. I'm sure I can enter commands, but I haven't tried the ZBFW commands yet since I was going to first enable it via this wizard and modify it as necessary, since we're currently using a VPN on it already and the wizard, from what I understand, maintains that without interruption.

Is there a set list of commands somewhere I can copy that will enable this (isn't that what the wizard is doing anyway?) where I can tailor them to our environment before applying them on the router?