05-04-2012 11:18 PM - edited 03-11-2019 04:02 PM
Setup new Cisco 861 and working well for a new BTNet line for the customer. Changed the firewall using CCP from Zone to Classic Firewall. Worked great all day and configured what I needed to do.
Now, with CCP (version 2.6) have the following message:-
** Cisco CP has detected that the router is configured with either legacy and Zone Policy Firewall (ZPF) or Legacy firewall. If you want to use Cisco CP to configure an zone-based firewall, you must first delete the Legacy configuration. **
Can anyone help, please?
The config of the router is below with details customer details changed:-
Current configuration : 9546 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname dcs29719
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 goggblejooksecret
!
no aaa new-model
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2462657273
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2462657273
revocation-check none
rsakeypair TP-self-signed-2462657273
!
!
crypto pki certificate chain TP-self-signed-2462657273
certificate self-signed 01
** CERTIFICATE DATA REMOVED **
quit
no ip source-route
!
!
ip port-map user-protocol--1 port tcp 3389
!
!
ip cef
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
no ip bootp server
ip domain name company.local
ip name-server 8.8.8.8
!
!
!
!
username admin privilege 15 secret 5 $1$S9T7$oRzqa5kwkIPWRpN8vuqyW/
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 70115e5c60 address 111.111.111.111
crypto isakmp key 70115e5c60 address 123.123.123.123
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to111.111.111.111
set peer 111.111.111.111
set transform-set ESP-3DES-SHA
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to123.123.123.123
set peer 123.123.123.123
set transform-set ESP-3DES-SHA1
match address 104
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address 81.145.193.50 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip inspect CCP_LOW out
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.99.252 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 81.144.192.49 permanent
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.99.100 3389 interface FastEthernet4 3390
ip nat inside source static tcp 192.168.99.103 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.99.104 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.99.103 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list standard ARG-LANs
remark CCP_ACL Category=2
remark MeadowbankRoad
permit 192.168.99.0 0.0.0.255
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 deny ip 81.144.192.48 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 101 permit udp host 123.123.123.123 host 81.145.193.50 eq non500-isakmp
access-list 101 permit udp host 123.123.123.123 host 81.145.193.50 eq isakmp
access-list 101 permit esp host 123.123.123.123 host 81.145.193.50
access-list 101 permit ahp host 123.123.123.123 host 81.145.193.50
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 101 permit udp host 111.111.111.111 host 81.145.193.50 eq non500-isakmp
access-list 101 permit udp host 111.111.111.111 host 81.145.193.50 eq isakmp
access-list 101 permit esp host 111.111.111.111 host 81.145.193.50
access-list 101 permit ahp host 111.111.111.111 host 81.145.193.50
access-list 101 permit udp host 8.8.8.8 eq domain host 81.145.193.50
access-list 101 permit tcp any host 81.145.193.50 eq 3389
access-list 101 permit tcp 195.90.96.0 0.0.1.255 host 81.145.193.50 eq smtp
access-list 101 permit tcp host 217.37.118.109 host 81.145.193.50 eq 3390
access-list 101 deny ip 192.168.99.0 0.0.0.255 any
access-list 101 permit icmp any host 81.145.193.50 echo-reply
access-list 101 permit icmp any host 81.145.193.50 time-exceeded
access-list 101 permit icmp any host 81.145.193.50 unreachable
access-list 101 permit tcp any host 81.145.193.50 eq 443
access-list 101 permit tcp any host 81.145.193.50 eq 22
access-list 101 permit tcp any host 81.145.193.50 eq cmd
access-list 101 permit tcp any host 81.145.193.50 eq 4443
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.99.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.99.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.99.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 remark MeadowbankRoad
access-list 103 permit ip 192.168.99.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.99.0 0.0.0.255 192.168.101.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
banner motd ^CC
My Banner
^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Solved! Go to Solution.
05-05-2012 04:44 AM
Ok, so now you will have to configure a ZFW?
-------------------------------
There are two class-maps left from a privious ZFW-configuration in the config:
class-map type inspect match-any ccp-cls-icmp-access
class-map type inspect match-any ccp-cls-insp-traffic
They aren't used anywhere, but if you will start from scratch you might aswell remove them.
05-05-2012 03:31 AM
The message is self explained, either you have ZFW and CBAC configured or you have CBAC (Classic firewall) configured, and you have CBAC.
So what do you want help with?
05-05-2012 04:11 AM
I realise what the message says. I can configure the firewall using CLI when I need to. However I have colleagues that find it easier to use CCP.
My point is, is that I could configure the classic firewall using CCP but now I cannot. The message says to delete classic entries (which is all of them). I could start to take a more aggressive approach by deleting using the CLI all entries relating to the firewall (classic or zone) which would not only risk me cutting myself off on a bank holiday weekend, but also risks disrupting the customer.
The assistance I require (only being a CCENT n all) is to help identify where the zone firewall remnants are in the config that need removing.
I could of course start the config again, but would like to avoid any disruption.
05-05-2012 04:44 AM
Ok, so now you will have to configure a ZFW?
-------------------------------
There are two class-maps left from a privious ZFW-configuration in the config:
class-map type inspect match-any ccp-cls-icmp-access
class-map type inspect match-any ccp-cls-insp-traffic
They aren't used anywhere, but if you will start from scratch you might aswell remove them.
05-16-2012 01:17 AM
Thank-you. Solved my problem and can now use CCP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: