CISCO Configuration Professional (CPP) Revival

How to get Cisco Configuration Processional (CCP) up and running as a Windows VM, now that XP and Flash are no longer available and officially "end-of-life" and CCP has also been announced as "end-of-life"

CISCO Configuration Professional (CPP) Revival

Status: 2nd Oct 2021 - Retested and verified setup since Flash was disabled in January 2021

CISCO Configuration Professional (CPP) was the last of CISCO's small IOS Router GUI Configuration Tools. It was annouced as End-of-Life in August 2016 and unsupported in January 2020. If you do a google search for alternatives then the answer is "use IOS" (the CISCO command line interface configuration language), while CISCO's recommendation is to use CISCO Configuration Professional Express. The express version of CPP is downloaded to browser via the CISCO IOS device. CCP Express has a much more constrained configuration capability and enforces a configuration set structure that may not be applicable to your network.

So for a person managing a small number or single CISCO devices but with need for flexibility in configuration neither of these two options is satisfactory. So the work around is to get CCP up and running on a Windows VM. This tip provides practical guide on getting Windows 7 with CCP VM running on Ubuntu QEMU / KVM.

CISCO Configuration Professional Environment

CPP is available as download from Cisco web site. Version 2.8 was the last available version. To run it requires:

  • Windows XP or greater
  • Adobe Flash Version 10 or greater
  • Java Runtime Version JRE 1.16.0_11 to 1.17.0_17.

Almost all of this software is end-of-life with Adobe Flash being the "last nail in the coffin". Adobe has stopped support for Flash and many of the later releases have a "time-bomb" in then which disables Flash post January 2021.

Currently, I have working VMWare VMs for Windows XP and Windows 10 that run CCP, but if I do an update of Windows 10 then it will completely remove and disable Flash. So given Adobe's determination to stop Flash use, there is little point in setting up a Windows 10 VM for use with CCP anymore.

My recommendation for setting up a "new" environment for CPP is:

  • Windows 7 (SP1) - as this installs using SATA disk, has driver for QEMU USB Touch Tablet (absolute coordinate mouse) and assuming you have license key will activate. I have found Windows XP problematic as you cannot activate it any more and Windows 10 completely disables Flash. I have tested with: 32 bit (works) & 64 bit (works)
  • Windows IE - CCP uses Window Internet Explorer and so you must have this installed. My testing was using version: 11.0.9600.19100
  • Adobe Flash - is last version of Flash without the "time-bomb" in it and can be found via "Web Archive". The Windows Flash versions come in a number of flavours: win_sa == Standalone, winax == ActiveX Control (used by IE), win == NPAPI plugin for Windows, winpep == PPAPI plugin for Windows
  • Java - I have tested with: jre-6u43 (works), jre-7u8 (fails), jre-8u301 (fails)

As I now use Ubuntu and QEMU / KVM for all my virtual machines the VM type choice is:

  • Q35 with BIOS (Windows 7 does not support UEFI boot)
  • Mouse - QEMU USB Tablet for Absolute Coordindate Cursor (ensure mouse works even when connected to machine via VNC)
  • SATA Disk - 20G should be sufficient
  • CD-ROM - for Windows Install
  • Network - e1000e PCI bus connected Intel 1G Ethernet

NOTE: Most recently I have tested with Ubuntu 20.04 with libvirt 6.0.0, QEMU 6.0.0 and hypervisor 4.2.1.

Installation and Testing

Using the above configuration I did straight forward CD-ROM (image) based VM boot and install. Then installed: Java, Flash and CCP; in running VM:

  1. Setup new VM using Virtual Machine Manager / libvirt
  2. Boot Machine from CD-ROM ISO image
  3. Install Windows 7 (choice Custom install using entire disk), install will reboot machine 3 times
  4. Install: Java, Flash and CCP
  5. Reboot
  6. Run CCP

For CCP to run correctly, ensure the following is done:

  • Allow all security requests that pop up when starting CCP, to avoid blocking anything
  • Right click on CCP and "Run as administrator" to ensure application can write to disk
  • Router discovery may not work when you select recommended "Connect Securely" option, due to expiry of self-signed certifcate. See CISCO TechNote to address this. If you choice to connect unsecurely then make sure you have done other things to avoid exposing configuration network to potential eves dropping (ie configuration network has very limited access and is private)
  • Do not allow any auto-updates of any of : Windows, Java or Flash! This has high chance of breaking working CCP and as the VM is dedicated to just running CCP, keeping it up to date is low priority.

NOTE:  If you do find that that you get a little "X" graphic in the top hand left of browser, then this indicates that CCP has been blocked. Start IE and go into "Internet options" and then into "Security" tab. Select "Trusted sites" and set to "Low" security and then add local machine to trusted site: "" & "" and disable "Require server verification (https:) for all site in this zone":

IE 11 - Trusted Sites for CCP (localhost /

You should now be able to continue using CCP to manage your router:

Running Cisco Configuration Professional on Ubuntu / QEMU / KVM Virtual Machine

As I mostly use CCP to verify Zone Based Firewall configurations. The ZBFW config takes up the largest part of my IOS configuration. These are also the most critical part of the configuration, so I still find CCP very helpful, in checking these.

So while you can configure the router via IOS CLI, it is much easier to verify the firewall rules using CCP. So pending CISCO providing an alternate, I will likely continue to use this for some time yet.

Cisco CCP - Final full PC version was 2.8 see following for: Download, Release Notes and End-of-Life Notice

Adobe Flash - hits the end of the road in January 2021, so if you try to download you will get to here: Flash End-of-Life and Adobe have shutdown the archive of prior releases. This is still available from "Web Archive", get the ActiveX version for use with Internet Explorer

NPAPI - Netscape Plugin API, is used to older Firefox version

PPAPI - Pepper Plugin API, is an enhancement of NPAPI and is used by Chrome

Window ISO Downloader - you can get Windows ISO image using HeiDoc tool. This does download from official Microsoft site. Note that you still need an valid product key to activate the license.

CISCO TechNote - "Self-Signed Certificate Expiration on Jan. 1 2020" - provides how to address expiry of self-signed certificates in older IOS routes.

tftp on Ubuntu - tftp is essential util for managing Cisco Routers, see notes below on setting this up and testing on Ubuntu

Cisco Configuration Links - all of CISCO IOSs commands are documented on line, so all these will pop up in google: DHCP, SSH, SFTP (SSH File Transfer - requires IOS 16 - Gibralter), username, basic configuration, vlans, upgrade ios sw, reset to default

Appendix - A. Trival IOS Notes

Cisco IOS is very well documented via Cisco online information. These are just my "fast start" notes, to bootstrap and backup an IOS device:

  1. Have tftp server available - as tftp provides lowest common denominator as it works with any IOS version. This is can be done via FreeBSD or Ubuntu
  2. Have serial communications available (via MacOS in my case)
  3. Configure IOS Router with: DHCP (to get IP address), ssh/telnet access
  4. Copy on/off files and configure device

To Setup tftp on Ubuntu

There are multiple tftp servers avasilable I successfully set up tftpd-hpa, which is available via apt and has server and client parts. I setup both, as having client allows testing of server:

--- Install server and client
# sudo apt isntall tftpd-hpa tftp-hpa
--- Change ownership of (default) directory
# sudo chmod -R tftp:tftp /srv/tftp
--- Check that socket is open
# netstat -an | grep 69
udp        0      0    *                          
--- Test its working using client:
tftp> verbose
Verbose mode on.
tftp> put junk.txt
Error code 1: File not found
tftp> quit
--- If you get this then you will need to update your config
---   this is in: /etc/default/tftpd-hpa
---   As I have multiple networks, I changed to:
---    -l listen (run as daemon, not off inetd)
---    -c allow new files to be created (essential...)
---    -secure (-s) change dir startup
cat /etc/default/tftpd-hpa
# /etc/default/tftpd-hpa

TFTP_OPTIONS="-l -c --secure"

Serial Comms On MacOS

See my blog: "MacOS Big Sur & RS-232 Serial Communications" for details. In summary:

  • Start terminal
  • Find the right serial device: "ls /dev/tty*"
  • Connect via "screen": "screen /dev/tty.usbmodem14201 9600"
  • To exit: "ctl-a ctl-\"

Bootstrap Configuration of Router:

Get IP via DHCP and setup router so you can login via telnet/ssh, then you can remotely login and avoid using serials cable etc

# enable
--- show interface to get if detals
# show interface
GigabitEthernet0/0/0 is up, line protocol is up 
  Hardware is ISR4331-3x1GE, address is cc16.7e2c.e630 (bia cc16.7e2c.e630)
GigabitEthernet0/0/1 is down, line protocol is down 
  Hardware is ISR4331-3x1GE, address is cc16.7e2c.e631 (bia cc16.7e2c.e631)
GigabitEthernet0/0/2 is down, line protocol is down 
  Hardware is ISR4331-3x1GE, address is cc16.7e2c.e632 (bia cc16.7e2c.e632)
GigabitEthernet0/1/0 is down, line protocol is down (notconnect)
  Hardware is NIM-ES2-8-P, address is cc16.7e2c.e638 (bia cc16.7e2c.e638)
GigabitEthernet0/1/1 is down, line protocol is down (notconnect)
  Hardware is NIM-ES2-8-P, address is cc16.7e2c.e639 (bia cc16.7e2c.e639)
# config terminal
# interface GigabitEthernet0/0/0
(config-if)# ip dhcp
(config-if)# end
# hostname <NAME>
# ip domain-name <NAME.COM>
# crypto key zeroize rsa <<=== 0 2 4 15 30 2048 wipes prior key # crypto generate rsa ip ssh time-out seconds version aaa new-model username admin privilege password <<="=" this will store unencrypted, so fix as part of your setup line vty transport input telnet --- ok at point you should be able to remotely login router note that if are using old need tol add options ensure the encryption negotiation works or config automate get just post failure messages into google ---< code>

Copy stuff to/from Router

Now you should be able to access router and can use the following ios commands:

  • "copy <IOS_IMAGE>.bin tfp" - to copy your ios image to ftp
  • "license save <TO_FILE>.lic" - to save the license to XML file
  • "copy <LICENSE>.lic ftp" - to copy your saved license to tftp
  • "archive tar /create tftp:<YOUR_HOST>/<YOUR_TAR>.tar flash:/" - tar to tftp server the entire flash: contents

Picture: Why a "House of Cards"? - As that is what it feels like trying to keep CCP going, it is now old and highly vulnerable to changes in OS environment, Java and most recently Flash.