WCCP Redirection on ASA

Unanswered Question
Apr 19th, 2010

I am not able to get WCCP working on the ASA (with Websense).  How does the ASA know the IP address of the websense box as I am unable to see it in the configuration?

Below is what I have configured.  My clients go out to the internet but are not redirected to the websense proxy

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=

Internal proxy (websense) 1.1.1.1

Internal network 1.1.1.1/24

ASA configuration

ACL applied to inside interface

access-list inside_in line 4 extended permit tcp 1.1.1.0 255.255.255.0 any eq ssh
access-list inside_in line 5 extended permit tcp 1.1.1.0 255.255.255.0 any eq ftp

access-list inside_in line 6 extended permit tcp 1.1.1.0 255.255.255.0 any eq https
access-list inside_in line 7 extended permit tcp 1.1.1.0 255.255.255.0 any eq www
access-list inside_in line 8 extended permit ip host 1.1.1.1 any

WCCP traffic for redirection
access-list WS-HTTP line 1 extended deny ip host 1.1.1.1 any
access-list WS-HTTP line 2 extended permit tcp any any eq www

WCCP config

wccp web-cache redirect-list WS-HTTP
wccp interface inside web-cache redirect in

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
networker99 Mon, 04/19/2010 - 06:00

No, I am trying to use WCCP to redirect to Websense server, not use URL filtering

Jennifer Halim Mon, 04/19/2010 - 06:27

I believe with websense, after it receives the GRE encapsulated packets from ASA (as part of the redirection), it will send a reply back to the ASA instead of directly to the host. ASA only supports uni directional GRE, ie: from ASA towards websense, and will not understand the reply sends back by Websense server.

Hence, wccp intergration between ASA and websense is unfortunately not supported. You can use a router instead to redirect the traffic towards websense server.

Here is the WCCP supported configuration on ASA for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html

Hope that helps.

pkampana Mon, 04/19/2010 - 06:55

If websense responds to the ASA that redirect the traffic it will not work.

The triangle host to to ASA, ASA to redirect server, server to host has to happen for it to work.

I hope it helps,


PK

networker99 Mon, 04/19/2010 - 07:05

Webtraffic goes to the ASA, the ASA redirects it to the Websense box which should then send it back to the ASA via the

websense proxy IP.  but "show wccp" shows no packets being redirected

pkampana Mon, 04/19/2010 - 07:22

Start by checking if we have detected the wccp engine.

And also if the redirect ACL has hitcounts on it.

Also wccp debugs could show something interesting maybe.

Still if websense wccp will send to the ASA and not to the host, even fixing the redirect issue will not work in the end.

PK

networker99 Mon, 04/19/2010 - 07:26

Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             0
        Number of routers:                   0
        Total Packets Redirected:            0
        Redirect access-list:                WS-HTTP
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

How do you tell the asa about the cache engine?

pkampana Mon, 04/19/2010 - 07:45

The find each other through broadcast wccp messages.

Probably they can't communicate and the ASA doesn't see the engine.

Enable wccp event debugs to try to see what is happening, check if the ASA is directly connected with the engine.

PK

networker99 Mon, 04/19/2010 - 09:07

All the debug shows...

Here_I_Am packet from 1.1.1.1: no such service

pkampana Mon, 04/19/2010 - 09:47

Probably websense is advertising a service that is not service id 80 web-cache that the ASA is expecting.

PK

Jennifer Halim Mon, 04/19/2010 - 14:34

As advised earlier, websense and ASA integration is not supported since websense normally sends a reply back to ASA unless websense has recently changed their behaviour.

Do you still want to pursue this eventhough it is not supported?

BTW, in regards to redirection, you would need to check with websense what service-id they are using. Currently you configure it as web-cache, and you would need to change it to service-id instead that websense uses.

networker99 Mon, 04/19/2010 - 16:55

How can it not be supported? Then what is the point of WCCP redirection???  I am not using URL filtering, I am trying to configure WCCP redirection.  The issue appears to be the cache engine is not being detected by the ASA

bobb Mon, 07/12/2010 - 10:30

It appears the service group is not registered with the ASA.

Websense uses service group 0 (http) and 70 (https) by default.   While web-cace should be service group 0, I suggest using 0 as the service group number.   Once the proxy has registered with the ASA, the proxy's IP address should show up. 

Other items to check for a service group not registering:

- Is UDP port 2048 open between the proxy and ASA (for WCCP messages)  (Debug implies this is working )

- Is the router ID of the ASA routable?  (i.e. can the proxy ping the router id)

As far as the return issue.  I am not sure which return is in question.  If the WCCP return (for bypassed packets in the case of a non-proxy site or load shedding) those will be presented to the ASA via L2 (ip forwarding in some contexts) by Websense and that needs to be reviewed in the design to prevent a loop.

Actions

Login or Register to take actions

This Discussion

Posted April 19, 2010 at 5:43 AM
Stats:
Replies:15 Avg. Rating:
Views:7175 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446