Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4443
Views
0
Helpful
3
Replies

I need advice on redirecting WCCP to an Ironport on an ASA DMZ

paultribe
Level 1
Level 1

‎09-23-2009 08:19 AM - edited ‎03-11-2019 09:18 AM

My internal network is 10.10.10.0/24 which all hosts that access the Internet belong to. I have configured the internal router with WCCPv2 and the IP address is 10.10.10.1/24.

I have an Ironport S160 on an ASA DMZ network which is 192.168.10.0/24. I have configured the standard WCCP service "web-cache" on the Ironport and pointed it to the WCCPv2 router address 10.10.10.1/24

I get the message from IE "page cannot be displayed", and users cannot access the Internet. I think this may be an issue with the Ironport or the ASA. Do I have to configure WCCP on the ASA as well as the router, and what address should I point the Ironport to, the ASA or the Router?

Can anyone point me to a configuration example of what I am trying to do, which is basically use WCCPv2 to redirect web traffic to an Ironport S160, which is on a DMZ network.

I know the DMZ is accessable as users can access the Internet when the proxy server is added to the browser.

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎09-23-2009 11:33 AM

Here is the link to configuring the ASA for WCCP.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094628

WCCP redirect is supported only on the ingress of an interface. The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance.

As far as why the Router is not able to re-direct requests to Iron port on the ASA, you need to check the ASA to see if there is proper translation for the router to go to the dmz.

0 Helpful

paultribe
Level 1
Level 1
In response to Kureli Sankar

‎09-23-2009 11:45 AM

So does this mean that under no circumstances is it possible to use WCCP when clients are located on one ASA Security interface (inside) and the Ironport is on another (dmz), or can I still do this with no configuration on the ASA and like you have said check the ACL, and translation rules on the ASA.

Apologies for my confusion but I am new to Ironport.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to paultribe

‎10-05-2009 02:50 PM

That means if you configure WCCP on the ASA then, we need to make sure the clients and the WCCP server are off the same interface. If you have the Iron Port unit in the DMZ, then you can only re-direct the DMZ hosts web-requests to the Iron Port unit.

If you are going to configure WCCP on a router on the inside and Iron port is on the DMZ so, long as proper translation is provided and permission for the flow is present, it should work fine. In this case the ASA will not be configured for WCCP. The flow between the inside routers and Iron port will be just like any other flow through the firewall.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card