cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
780
Views
6
Helpful
4
Replies

PIX 515E - WCCP & Ports

edw
Level 1
Level 1

Hi,

I am a bit tuck on the WCCP method - there seems to be very little documentation on it for PIX. The commands are different to routeres. I tried this so far:

wccp web-cache redirect-list Proxy group-list ProxyWS1000

wccp interface inside web-cache redirect in

ACLs being:

access-list Proxy extended permit tcp 10.1.1.1 255.255.255.240 any eq www

access-list Proxy extended permit tcp 10.1.1.17 255.255.255.240 any eq www

access-list ProxyWS1000 extended permit tcp host 10.1.2.247 any eq www

Would this work ?? Im trying to send 10.1.1.0 thorugh the proxy before going outside. WOuld the ip traffic going through there own assigned NAT pool or using the proxy static ip. (IE as if I had configure the Proxy in IE).

Also a second question - I thought I was being secure by using ACL such as

access-list Test extended permit tcp 10.1.1.0 255.255.255.0 eq www any eq www

But I assume that ports going out from a client are not locked to that service ?? IE port 80 request go from port 80 to port 80 ???

Thanks for any help

Ed

4 Replies 4

andrew.burns
Level 7
Level 7

Hi,

First check out the following for restrictions and other caveats (based on 7.2):

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f31.html#wp1094763

There's a lot of wccp restrictions compared to what you can do on a router so double-check your architecture - and remove the group-list as it's not necessary if there's only one server.

Note that when using http it's only the destination port of 80 that is fixed - the client source port can be anything in the high port range (1024-65535) so the Test access list probably won't ever match anything.

Lastly, don't forget to check the logs - they are the most useful tool when troubleshooting!

HTH - plz rate if useful..

Andrew.

Hi,

Okay Im using a black box proxy will the WCCP command still work on that?? If so where do I tell it in the command the proxy service is ?

For client source ports is this the same for all things such as FTP, SMTP, POP, etc ??

Thanks

Ed

Hi,

What I'm trying to do is divert a select group to a proxy without haveing to use a script ??

Thanks

Ed

Hi,

WCCP requires that both devices speak WCCP - it won't work if the proxy doesn't support it.

The web-cache service only redirects tcp port 80 so if you need other services you need to define additional services - but this needs them defined on the proxy as well.

HTH

Andrew.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: