Cisco 861 - Firewall configuration not available with CCP

Answered Question
May 4th, 2012

Setup new Cisco 861 and working well for a new BTNet line for the customer. Changed the firewall using CCP from Zone to Classic Firewall. Worked great all day and configured what I needed to do.

Now, with CCP (version 2.6) have the following message:-

** Cisco CP has detected that the router is configured with either legacy and Zone Policy Firewall (ZPF) or Legacy firewall. If you want to use Cisco CP to configure an zone-based firewall, you must first delete the Legacy configuration. **

Can anyone help, please?

The config of the router is below with details customer details changed:-

Current configuration : 9546 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname dcs29719

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 goggblejooksecret

!

no aaa new-model

clock timezone London 0

clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2462657273

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2462657273

revocation-check none

rsakeypair TP-self-signed-2462657273

!

!

crypto pki certificate chain TP-self-signed-2462657273

certificate self-signed 01

** CERTIFICATE DATA REMOVED **

quit

no ip source-route

!

!

ip port-map user-protocol--1 port tcp 3389

!

!

ip cef

ip inspect name CCP_LOW cuseeme

ip inspect name CCP_LOW dns

ip inspect name CCP_LOW ftp

ip inspect name CCP_LOW h323

ip inspect name CCP_LOW sip

ip inspect name CCP_LOW https

ip inspect name CCP_LOW icmp

ip inspect name CCP_LOW imap

ip inspect name CCP_LOW pop3

ip inspect name CCP_LOW rcmd

ip inspect name CCP_LOW realaudio

ip inspect name CCP_LOW rtsp

ip inspect name CCP_LOW esmtp

ip inspect name CCP_LOW sqlnet

ip inspect name CCP_LOW streamworks

ip inspect name CCP_LOW tftp

ip inspect name CCP_LOW tcp

ip inspect name CCP_LOW udp

ip inspect name CCP_LOW vdolive

no ip bootp server

ip domain name company.local

ip name-server 8.8.8.8

!

!

!

!

username admin privilege 15 secret 5 $1$S9T7$oRzqa5kwkIPWRpN8vuqyW/

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 70115e5c60 address 111.111.111.111

crypto isakmp key 70115e5c60 address 123.123.123.123

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to111.111.111.111

set peer 111.111.111.111

set transform-set ESP-3DES-SHA

match address 102

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to123.123.123.123

set peer 123.123.123.123

set transform-set ESP-3DES-SHA1

match address 104

!

archive

log config

hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ETH-WAN$$FW_OUTSIDE$

ip address 81.145.193.50 255.255.255.248

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip inspect CCP_LOW out

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.99.252 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 81.144.192.49 permanent

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static tcp 192.168.99.100 3389 interface FastEthernet4 3390

ip nat inside source static tcp 192.168.99.103 25 interface FastEthernet4 25

ip nat inside source static tcp 192.168.99.104 3389 interface FastEthernet4 3389

ip nat inside source static tcp 192.168.99.103 443 interface FastEthernet4 443

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

ip access-list standard ARG-LANs

remark CCP_ACL Category=2

remark MeadowbankRoad

permit 192.168.99.0 0.0.0.255

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark auto generated by CCP firewall configuration

access-list 100 remark CCP_ACL Category=1

access-list 100 deny ip 81.144.192.48 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by CCP firewall configuration

access-list 101 remark CCP_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 101 permit udp host 123.123.123.123 host 81.145.193.50 eq non500-isakmp

access-list 101 permit udp host 123.123.123.123 host 81.145.193.50 eq isakmp

access-list 101 permit esp host 123.123.123.123 host 81.145.193.50

access-list 101 permit ahp host 123.123.123.123 host 81.145.193.50

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 101 permit udp host 111.111.111.111 host 81.145.193.50 eq non500-isakmp

access-list 101 permit udp host 111.111.111.111 host 81.145.193.50 eq isakmp

access-list 101 permit esp host 111.111.111.111 host 81.145.193.50

access-list 101 permit ahp host 111.111.111.111 host 81.145.193.50

access-list 101 permit udp host 8.8.8.8 eq domain host 81.145.193.50

access-list 101 permit tcp any host 81.145.193.50 eq 3389

access-list 101 permit tcp 195.90.96.0 0.0.1.255 host 81.145.193.50 eq smtp

access-list 101 permit tcp host 217.37.118.109 host 81.145.193.50 eq 3390

access-list 101 deny ip 192.168.99.0 0.0.0.255 any

access-list 101 permit icmp any host 81.145.193.50 echo-reply

access-list 101 permit icmp any host 81.145.193.50 time-exceeded

access-list 101 permit icmp any host 81.145.193.50 unreachable

access-list 101 permit tcp any host 81.145.193.50 eq 443

access-list 101 permit tcp any host 81.145.193.50 eq 22

access-list 101 permit tcp any host 81.145.193.50 eq cmd

access-list 101 permit tcp any host 81.145.193.50 eq 4443

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.99.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 103 remark CCP_ACL Category=2

access-list 103 remark IPSec Rule

access-list 103 deny ip 192.168.99.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 103 remark IPSec Rule

access-list 103 deny ip 192.168.99.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 103 remark MeadowbankRoad

access-list 103 permit ip 192.168.99.0 0.0.0.255 any

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 192.168.99.0 0.0.0.255 192.168.101.0 0.0.0.255

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 103

!

!

control-plane

!

banner motd ^CC

My Banner

^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

I have this problem too.
0 votes
Correct Answer by h.grankvist about 1 year 11 months ago

Ok, so now you will have to configure a ZFW?

-------------------------------

There are two class-maps left from a privious ZFW-configuration in the config:

class-map type inspect match-any ccp-cls-icmp-access

class-map type inspect match-any ccp-cls-insp-traffic

They aren't used anywhere, but if you will start from scratch you might aswell remove them.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
h.grankvist Sat, 05/05/2012 - 03:31

The message is self explained, either you have ZFW and CBAC configured or you have CBAC (Classic firewall) configured, and you have CBAC.

So what do you want help with?

chrislord Sat, 05/05/2012 - 04:11

I realise what the message says. I can configure the firewall using CLI when I need to. However I have colleagues that find it easier to use CCP.

My point is, is that I could configure the classic firewall using CCP but now I cannot. The message says to delete classic entries (which is all of them). I could start to take a more aggressive approach by deleting using the CLI all entries relating to the firewall (classic or zone) which would not only risk me cutting myself off on a bank holiday weekend, but also risks disrupting the customer.

The assistance I require (only being a CCENT n all) is to help identify where the zone firewall remnants are in the config that need removing.

I could of course start the config again, but would like to avoid any disruption.

Correct Answer
h.grankvist Sat, 05/05/2012 - 04:44

Ok, so now you will have to configure a ZFW?

-------------------------------

There are two class-maps left from a privious ZFW-configuration in the config:

class-map type inspect match-any ccp-cls-icmp-access

class-map type inspect match-any ccp-cls-insp-traffic

They aren't used anywhere, but if you will start from scratch you might aswell remove them.

Actions

Login or Register to take actions

This Discussion

Posted May 4, 2012 at 11:18 PM
Stats:
Replies:4 Avg. Rating:5
Views:1741 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446