09-16-2013 03:51 AM - edited 03-04-2019 09:02 PM
I have been setting up a 819HGW and seem to have locked myself out of the CCP interface. I can still access the unit via CCP Express and CLI but need to be able to access via the full CCP. I was finishing up the unit and configuring WAAS express and im not sure what change has affected this.
If I now try to access via CCP I get the below error. I have checked http and https via CLI.
"Security Applet failed on device 172.16.81.1 with error The HTTP and HTTPS protocols are not enabled on the router that you are attempting to discover. To discover the router, first use the Cisco IOS CLI to enable HTTP or HTTPS. Then discover the router."
09-17-2013 03:03 AM
Hi,
Since you can access via CLI, could you post 'show run'?
Make sure you've got:
ip http server
ip http secure-server
Sent from Cisco Technical Support iPad App
09-18-2013 01:09 AM
removed config
09-18-2013 01:47 AM
hi,
from which subnet are you accessing CCP? what's your ipconfig?
also, what username did you use?
09-18-2013 01:54 AM
Hi
I was using 172.16.81.x (local) and via vpn before, but now neither work for CCP but both work for CLI
username is ciscoadmin
09-18-2013 02:18 AM
hi,
could you try:
no class-map type inspect match-all sdm-access
class-map type inspect match-any sdm-access
match class-map sdm-cls-access
match access-group 104
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTP
ip access-list extended SDM_HTTP
permit tcp any any eq 80
09-18-2013 02:26 AM
hi,
entered all, the line "no class-map type inspect match-all sdm-access" replies back with "% Class-map sdm-access is being used"
discovery in CCP still fails
09-18-2013 02:37 AM
hi,
try first below, do the previous CLI given and then put back again the service-policy under zone pair.
zone-pair security ccp-zp-out-self source out-zone destination self
no service-policy type inspect ccp-permit
09-19-2013 05:34 AM
Hi
I am still getting the previous reply back "% Class-map sdm-access is being used"
09-18-2013 07:05 AM
Hi,
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$CVO$$FW_INSIDE$
ip address 172.16.81.1 255.255.255.0
ip access-group 100 in
access-list 100 deny tcp any host 172.16.81.1 eq www
access-list 100 deny tcp any host 172.16.81.1 eq 443
This is what is blocking the communication from the local LAN
Regards
Alain
Don't forget to rate helpful posts.
09-19-2013 05:31 AM
I have allow lists above for specific subnets
09-19-2013 06:05 AM
Hi,
is it still not working from your LAN ? if so enter this command on the router: ip inspect log drop-pkt then enable console logging with logging on and logging console 6 commands then try again with CCP and give us the log output you get if any.
Regards
Alain
Don't forget to rate helpful posts.
09-19-2013 06:29 AM
hi,
nothing seems to be showing in the logs when using CCP. This was all working and the last thing i modified was the waas express.
09-19-2013 07:06 AM
Hi,
Can you show us the output from following:
-sh ip interface Vlan1
-sh access-list
Regards
Alain
Don't forget to rate helpful posts.
09-19-2013 07:33 AM
Vlan1 is up, line protocol is up
Internet address is 172.16.81.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 100
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching (with notification) turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
BGP Policy Mapping is disabled
Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reass
embly, Access List, Virtual Fragment Reassembly After IPSec Decryption, MCI Chec
k, TCP Adjust MSS
Output features: NAT Inside, Common Flow Table, Stateful Inspection, CCE Post
NAT Classification, Firewall (firewall component), TCP Adjust MSS, NAT ALG proxy
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
Standard IP access list 1
10 permit 10.10.10.0, wildcard bits 0.0.0.7
Standard IP access list 2
10 permit 172.16.1.231
20 permit ## ExtIP ##
30 permit 172.16.200.0, wildcard bits 0.0.0.255 (13 matches)
40 permit 172.16.1.0, wildcard bits 0.0.0.255
50 permit 172.16.81.0, wildcard bits 0.0.0.255
Extended IP access list 100
10 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq telnet
20 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq telnet
30 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq telnet
40 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq 22
50 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq 22
60 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq 22
70 permit tcp host ## ExtIP ## host 172.16.81.1 eq 22
80 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq www
90 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq www
100 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq www
110 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq 443
120 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq 443
130 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq 443
140 permit tcp host ## ExtIP ## host 172.16.81.1 eq 443
150 permit tcp 172.16.200.0 0.0.0.255 host 172.16.81.1 eq cmd
160 permit tcp 172.16.1.0 0.0.0.255 host 172.16.81.1 eq cmd
170 permit tcp 172.16.81.0 0.0.0.255 host 172.16.81.1 eq cmd
180 permit tcp host ## ExtIP ## host 172.16.81.1 eq cmd
190 deny tcp any host 172.16.81.1 eq telnet
200 deny tcp any host 172.16.81.1 eq 22
210 deny tcp any host 172.16.81.1 eq www
220 deny tcp any host 172.16.81.1 eq 443
230 deny tcp any host 172.16.81.1 eq cmd
240 deny udp any host 172.16.81.1 eq snmp
250 permit udp host 172.16.1.13 eq ntp host 172.16.81.1 eq ntp
260 deny ip host 255.255.255.255 any
270 deny ip 127.0.0.0 0.255.255.255 any
280 permit ip any any (44661 matches)
Extended IP access list 101
10 permit udp any eq bootps any eq bootpc
20 deny ip 10.10.10.0 0.0.0.255 any
30 permit icmp any any echo-reply
40 permit icmp any any time-exceeded
50 permit icmp any any unreachable
60 deny ip 10.0.0.0 0.255.255.255 any
70 deny ip 172.16.0.0 0.15.255.255 any
80 deny ip 192.168.0.0 0.0.255.255 any
90 deny ip 127.0.0.0 0.255.255.255 any
100 deny ip host 255.255.255.255 any
110 deny ip any any
Extended IP access list 102
10 permit ip 172.16.200.0 0.0.0.255 any (8 matches)
20 permit ip 172.16.1.0 0.0.0.255 any (4 matches)
30 permit ip 172.16.81.0 0.0.0.255 any
40 permit ip host ## ExtIP ## any
Extended IP access list 103
10 permit ip host 255.255.255.255 any
20 permit ip 127.0.0.0 0.255.255.255 any
Extended IP access list 104
10 permit ip host ## ExtIP ## any
Extended IP access list 105
10 permit ip host ## ExtIP ## any
Extended IP access list 106
10 permit ip 172.16.0.0 0.0.255.255 any
Extended IP access list 198
10 permit ip any any (23950 matches)
Extended IP access list SDM_AH
10 permit ahp any any
Extended IP access list SDM_ESP
10 permit esp any any
Extended IP access list SDM_HTTPS
10 permit tcp any any eq 443
Extended IP access list SDM_IP
10 permit ip any any (66657 matches)
Extended IP access list SDM_SHELL
10 permit tcp any any eq cmd
Extended IP access list SDM_SSH
10 permit tcp any any eq 22
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide