I have a 6500 core switch and FWSM deployed. We use the inside interface (vlan 19)on the internet firewall as WCCP outbound interface.we have several DMZ zones in this firewall. we also have other DMZ servers on other firewalls.http or https request would be redirected to Bluecoat when all internal or DMZ hosts access Internet .But http or https request would not when internal hosts or non-internet firewall DMZ servers access DMZ servers of internet firewall. So I use redirect-list to finish this requirment. The WCCP configuration is in our core switch:
ip wccp web-cache redirect-list 120
ip wccp 10 redirect-list 120
description *** Internet-Inside ***
ip address 172.29.19.1 255.255.255.0
ip wccp web-cache redirect out
ip wccp 10 redirect out
access-list 120 deny ip 172.16.0.0 0.0.255.255 10.129.64.0 0.0.15.255
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.129.64.0 0.0.15.255
access-list 120 deny ip 172.29.0.0 0.0.255.255 10.129.64.0 0.0.15.255
access-list 120 deny ip 10.111.0.0 0.0.255.255 10.129.64.0 0.0.15.255
access-list 120 deny ip 10.129.80.0 0.0.15.255 10.129.64.0 0.0.15.255
access-list 120 deny ip 10.129.96.0 0.0.7.255 10.129.64.0 0.0.15.255
access-list 120 permit ip any any
The source IP address included in all internal subnets and non-internet firewall DMZ subnets. The destination Ip address is DMZ subnet in the internet firewall.
But when we tried to access DMZ servers (10.129.72.26)from internal hosts (172.29.101.11), i found the traffic already be redirected to BC. It should match ACL "access-list 120 deny ip 172.29.0.0 0.0.255.255 10.129.64.0 0.0.15.255", but it did not. I saw match ACL "permit any any". Could you give me some clue? I would appreciate it!