WCCP on ASA

Unanswered Question
Jun 12th, 2009

I'm wondering how common it is for folks to make their WCCP their external firewall. This is what our VAR recommended but I am tempted to move it back to our internal L3 switch.

We have had a few odd problems since deployment (about 3-4 weeks ago). First, although the WCCP session looks completely normal, a number of non-http applications broke until we modified the ACL to only redirect HTTP and HTTPS traffic.

Second we have multiple sites (some as common as Hotmail) that sporadically don't work getting 504 errors. We've had 2 or 3 support cases since deployment and have yet to come to absolute resolutions on any of them.

Are there folks out there with successful deployments such as this? What interface has been used as the peer and is there anyway to set it other than with the highest IP address? Does the identifyer address matter at all?

Thanks for any insight.

Scott

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jowolfer Mon, 06/15/2009 - 15:24

I can't speak for the field, but given a choice, I'd recommend doing WCCP on a router, switch, then ASA - in that order.

The WCCP code seems to be more reliable on the routers over the other devices.

I've not heard of needing to use a specific ACL to force the ASA to only send the 80 and 443 traffic.

There is no way, that I'm aware of, to change the Router ID on any of these devices. It is set to the highest configured IP at the time of bootup.

scraig84_ironport Tue, 06/16/2009 - 18:11

I moved it to our 6506 last night and things are a bit better. I noticed right away one of the differences - the switch is using L2 WCCP rather than GRE encapsulation. I also did an "any any" rather than the specific ports I had to do on the ASA and everything has been functioning well.

I don't get the impression too many people do it on the ASA and I was surprised initially when our vendor recommended that route.

Thanks for the feedback.

Scott

jaymiller5_ironport Wed, 06/17/2009 - 04:35

we have it deployed in this manner and yes you have to specify ports 80, 443 and 8443 for it function properly.

KWillacey_2 Mon, 06/29/2009 - 20:40

I am new to WCCP can anyone give a sample config for the ASA, the setup is as follows

Inside Network------SW----------ASA---------Internet
|
|
S360

access-list extended s360-wccp deny tcp any 192.168.20.0 255.255.255.0 eq 80
access-list extended s360-wccp deny tcp any 192.168.97.0 255.255.255.0 eq 80
access-list extended s360-wccp deny tcp any 192.168.20.0 255.255.255.0 eq 443
access-list extended s360-wccp deny tcp any 192.168.97.0 255.255.255.0 eq 443
access-list extended s360-wccp permit tcp any any eq 80
access-list extended s360-wccp permit tcp any any eq 443

wccp web-cache
wccp interface inside web-cache redirect-list s360-wccp in

The sample network addresses are those that I do not want to be redirected. Can my configuration work? What else is needed? Thanks.

Jason_ironport Tue, 09/01/2009 - 17:15

If the switch in this scenario supports WCCP, I would use it instead of the ASA. If you must use the ASA, then make sure you are running 7.2(3) or newer code on the ASA. The configuration you listed looks fine, except the redirect-list ACL might be backwards depending on what you are trying to do.

The way the ACL is written, WCCP will ignore traffic with a destination of 192.168.20.0/24 and 192.168.97.0/24, (which may make sense if these are DMZ subnets), but if you are trying to exclude clients in these subnets from redirection, then this ACL should be flipped around. i.e. deny tcp 192.168.20.0 255.255.255.0 any eq 80.

Actions

This Discussion