09-21-2010 04:36 AM - edited 03-11-2019 11:42 AM
Hi,
I have a customer who really liked to use GUI to configure (manage ACL, Firewall policy) his Cisco devices (mainly routers).
Using the last version of CCÅ (2.3) I think there is an issue regarding the edition of firewall policy when you use ACL in the class map. The entry in the firewall policy appears as read-only. It is a shame because I cannot configure Zone-based firewall at my customer because he wouldn't be able to edit the Zone-based policies through CCP!
Working find with CBAC!
Anyone has seen this issue before?
09-21-2010 07:33 AM
Is there anything that is especially unique about these policy's access-lists versus others? Are you able to modify other firewall policy/access-lists without issue?
Were the policies originally configured via CCP or via CLI? If you configured them via CLI, how difficult would it be for you to configure via CCP? There are certain values/fields that are used within the CLI textual output that CCP relies on to populate the GUI options. If these fields are missing, this can make it impossible to edit the firewall policy via CCP.
If your client intends to make ongoing configuration changes leveraging CCP, it is advised to make all configuration changes via CCP.
Let me know if that helps.
Best Regards,
Kevin
09-22-2010 02:51 AM
Hi Kevin,
Thanks for your post. I have tried different scenario and the issue happens with self zone configuration only.
If you configure the other zones in CLI you can edit edit then without problem in GUI. But with the self zone, if you have configured Zone-based policies with CLI you cannot edit it with the GUI as it is read-only.
I don't know if you have the possibilty to test that. It is a shame because it could have been nice to have the possibilty to edit the OUT-TO-SELF and SELF-TO-OUT FW policy wiht the GUI.
Regards,
Laurent
09-28-2010 11:49 PM
Hi
Can you share the running configuratoin of your router please? Will try to take a look on what could be the cause of the problem. I am assuming you are using Cisco Configuration Professional Version 2.3.
Thanks,
Chaitra
10-07-2010 09:09 AM
Hi,
Yes I am using version 2.3 and unfortunately I cannot share the config as I switch over to CBAC :-(
I am sure you can reproduce this in a Lab.
Thanks for your help.
Best Regards,
Laurent
10-07-2010 12:52 PM
Please open a case with TAC to have them look at it. They should be able to chase it down.
I hope it helps.
Rgs,
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide