cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2867
Views
0
Helpful
14
Replies

Cisco Configuration Professional 2.6 Cannot get Firewall configuration to launch

ajinks800
Level 1
Level 1

This has been such a pain... Ok so I finally got it running (CCP 2.6) on Win7 64-bit with the following:

- IE11

- Java (both are checked in Java settings):

1.6.0_7 (-Xmx256m)

and 1.6.0_17 (-Xmx256m -Dsun.java2d.d3d=false)

I've unchecked the next-gen Java plugin feature

- Run as Administrator (sucks but it works, I just need to remind myself everytime)

The program opens and it seems EVERYTHING runs EXCEPT the one thing I need to get to, which is the Firewall settings.  I've tried a bunch of different versions of Java with the same settings but none allow the firewall configuration to open when I click "Launch selected task"!  Nothing happens.

In CCP, when I click Security > Firewall > Firewall then select the 'Basic' or 'Advanced' options, then click "Launch the selected task" button, nothing happens.

Am I missing something here?  Is there something I need to set first to enable this feature?  I'm using a 2911 with the following IOS:

ROM: System Bootstrap, Version 15.0(1r)M15  It was hard to get even this far but this is what I have been trying to get to!  Help!  Any suggestions??

14 Replies 14

Marvin Rhoads
Hall of Fame
Hall of Fame

Does your 2911 have the security license necessary for the IOS ZBFW features? "show license feature" from the cli.

More details here:

http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985_ps10537_Products_White_Paper.html

It shows 3 permanent licenses for the CISCO2911/K9 as "Active, In Use" and "DEPLOYED":

- ipbasek9

- uck9

- securityk9

According to that link it should be covered under SECK9, correct? (SECK9 = securityk9 ?)

Yes, SECK9 is the Security license including payload encryption technology.

I should have asked - you are running the full CCP PC-based version - not the Express version. The Express version doesn't allow for nythign beyond the most basic setup. 2.7 is the most current PC-based version.

Download link.

I use it fine on Win 7 64-bit with IE 11 once I make sure to add http://127.0.0.1 to the compatibility view settings. (Reference)

No, I know about the Express version and this is not it.  I was running 2.6 but downloaded and upgraded to 2.7 which does the same thing.  I have access to EVERYTHING it seems EXCEPT the firewall wizard.  Playing around with several Java versions and IE settings I was able to see the IPS screens others complained about that weren't previously working, which I thought would allow the firewall wizard also, but it did not.  I've tried this on both a Windows 7 64-bit PC running IE11 and a Windows XP Pro PC running IE9.  So far, no luck with either.

Does something have to be enabled on the rouer itself?  I've even tried IE8 wit Java 6u11.  Same thing.  All works except the Firewall wizard.

Nothing special beyond the http server (or preferably secure-server) need to be enabled on the router for CCP. Given that you have the Securityk9 image license running, you should be able to setup firewall features.

Here's one of mine:

#show license feature

Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse

ipbasek9                 no           no          no             yes      no       

securityk9               yes          yes         no             yes      yes      

uck9                     yes          yes         no             no       yes      

datak9                   yes          yes         no             no       yes      

gatekeeper               yes          yes         no             no       yes      

SSL_VPN                  yes          yes         no             no       yes      

ios-ips-update           yes          yes         yes            no       yes      

SNASw                    yes          yes         no             no       yes      

hseck9                   yes          no          no             no       no       

cme-srst                 yes          yes         no             no       yes      

WAAS_Express             yes          yes         no             no       yes      

UCVideo                  yes          yes         no             no       yes      

#sh ver | i bin

System image file is "flash0:/c2900-universalk9-mz.SPA.152-3.T3.bin"


And the Wizard (basic or advanced) runs fine (click image to zoom). It is already configured with IOS ZBFW but that's not a prerequisite to launch the wizard - just the opposite in fact: you use the wizard for initial setup.

Capture.JPG

There are a million versions of Java, and CCP & SDM also have been sensitive to Java versions and runtime environments.  Also, there are several versions of IE and those are sensitive to settings.  Which versions are you running?  What is your EXACT configuration (OS/Java/IE/CCP/etc.)  I even tried in a virtual machine running Win7SP1-32 with IE9, then IE10 but again, everything works now EXCEPT the firewall wizard.  Does it matter that this is being done from an outside connection?  Do I need to open something on our firewall here?  I checked traffic and nothing is being blocked.  It's all passing on port 443 and even to a Cisco corporate IP address on port 80.  I still don't get it.

I am running Windows 7 Ultimate 64-bit SP1 with IE 11.0.2. Windows and IE are patched to the latest available patches.

My Java 7 is at update 45 vs. the newer update 51 since the latter breaks some other things (like ASDM).

My CCP is 2.7.

Are you using any runtime parameters for Java?

No Java runtime parameters are set. I am a local adminstrator on my system so all executables I launch directly or indirectly run as admin. The system is not joined to a domain and thus has no GPOs.

Wow... well so far I've tried it on 4 different machines including a VM, 3 different networks - one which was not blocked by a firewall (an external network) and 2 other subnets (which are also 'external' since the router is considered remote even though it sits here in our office), Windows 7 32 and 64 bit, several different versions of Java including 7/45, several versions of IE and STILL no luck. Can you manipulate Firefox to be used with this or is it locked into IE?  I can't figure this out.... FRUSTRATING

It's very tightly locked into and dependent upon IE as it uses the IE DLLs to run.

I guess you can just use the CLI. After all - everybody just loves that MQC command structure.

I'd also investigate whether there's something going on at the router itself. Things I would look at include:

- Has anyone modified the CP Express stuff that's on the box?

- What IOS is it running?

- Can you enter the ZBFW commands even from CLI?

If you have support on the router, you should be able to open a TAC case as you are unable to use one of the supported configuration methods at this point.

1. No one has touched the CCP Express (to add, now I can't even get to that - not that I really need to, but apparently it does not work well with IE11 either)

2. ROM: System Bootstrap, Version 15.0(1r)M15

3. I'm sure I can enter commands, but I haven't tried the ZBFW commands yet since I was going to first enable it via this wizard and modify it as necessary, since we're currently using a VPN on it already and the wizard, from what I understand, maintains that without interruption.

    

Is there a set list of commands somewhere I can copy that will enable this (isn't that what the wizard is doing anyway?) where I can tailor them to our environment before applying them on the router?

Marvin Rhoads
Hall of Fame
Hall of Fame

Sure, it's all covered in the configuration guide.

Here's a link that includes several examples as well as the details on each command:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html

Review Cisco Networking for a $25 gift card