cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2295
Views
0
Helpful
5
Replies

CCP and Zone-based firewall: Editing FW policy issuee

lap
Level 2
Level 2

Hi,

I have a customer who really liked to use GUI to configure (manage ACL, Firewall policy) his Cisco devices (mainly routers).

Using the last version of CCÅ (2.3) I think there is an issue regarding the edition of firewall policy when you use ACL in the class map. The entry in the firewall policy appears as read-only. It is a shame because I cannot configure Zone-based firewall at my customer because he wouldn't be able to edit the Zone-based policies through CCP!

Working find with CBAC!

Anyone has seen this issue before?

CCP-ZBF.JPG

5 Replies 5

Kevin Redmon
Cisco Employee
Cisco Employee

Is there anything that is especially unique about these policy's access-lists versus others?  Are you able to modify other firewall policy/access-lists without issue?

Were the policies originally configured via CCP or via CLI?  If you configured them via CLI, how difficult would it be for you to configure via CCP?  There are certain values/fields that are used within the CLI textual output that CCP relies on to populate the GUI options.  If these fields are missing, this can make it impossible to edit the firewall policy via CCP.

If your client intends to make ongoing configuration changes leveraging CCP, it is advised to make all configuration changes via CCP.

Let me know if that helps.


Best Regards,

Kevin

Hi Kevin,

Thanks for your post. I have tried different scenario and the issue happens with self zone configuration only.

If you configure the other zones in CLI you can edit edit then without problem in GUI. But with the self zone, if you have configured Zone-based policies with CLI you cannot edit it with the GUI as it is read-only.

I don't know if you have the possibilty to test that. It is a shame because it could have been nice to have the possibilty to edit the OUT-TO-SELF and SELF-TO-OUT FW policy wiht the GUI.

Regards,

Laurent

chaitram
Level 1
Level 1

Hi

Can you share the running configuratoin of your router please? Will try to take a look on what could be the cause of the problem. I am assuming you are using Cisco Configuration Professional Version 2.3.

Thanks,

Chaitra

Hi,

Yes I am using version 2.3 and unfortunately I cannot share the config as I switch over to CBAC :-(

I am sure you can reproduce this in a Lab.

Thanks for your help.

Best Regards,

Laurent

Please open a case with TAC to have them look at it. They should be able to chase it down.

I hope it helps.

Rgs,

PK

Review Cisco Networking for a $25 gift card