04-19-2010 05:43 AM - edited 03-11-2019 10:34 AM
I am not able to get WCCP working on the ASA (with Websense). How does the ASA know the IP address of the websense box as I am unable to see it in the configuration?
Below is what I have configured. My clients go out to the internet but are not redirected to the websense proxy
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
Internal proxy (websense) 1.1.1.1
Internal network 1.1.1.1/24
ASA configuration
ACL applied to inside interface
access-list inside_in line 4 extended permit tcp 1.1.1.0 255.255.255.0 any eq ssh
access-list inside_in line 5 extended permit tcp 1.1.1.0 255.255.255.0 any eq ftp
access-list inside_in line 6 extended permit tcp 1.1.1.0 255.255.255.0 any eq https
access-list inside_in line 7 extended permit tcp 1.1.1.0 255.255.255.0 any eq www
access-list inside_in line 8 extended permit ip host 1.1.1.1 any
WCCP traffic for redirection
access-list WS-HTTP line 1 extended deny ip host 1.1.1.1 any
access-list WS-HTTP line 2 extended permit tcp any any eq www
WCCP config
wccp web-cache redirect-list WS-HTTP
wccp interface inside web-cache redirect in
04-19-2010 05:57 AM
Are you trying to configure URL Filtering to Websense server?
Here is the configuration that you need:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_filter.html#wp1045692
Hope that helps.
04-19-2010 06:00 AM
No, I am trying to use WCCP to redirect to Websense server, not use URL filtering
04-19-2010 06:27 AM
I believe with websense, after it receives the GRE encapsulated packets from ASA (as part of the redirection), it will send a reply back to the ASA instead of directly to the host. ASA only supports uni directional GRE, ie: from ASA towards websense, and will not understand the reply sends back by Websense server.
Hence, wccp intergration between ASA and websense is unfortunately not supported. You can use a router instead to redirect the traffic towards websense server.
Here is the WCCP supported configuration on ASA for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html
Hope that helps.
04-19-2010 06:55 AM
If websense responds to the ASA that redirect the traffic it will not work.
The triangle host to to ASA, ASA to redirect server, server to host has to happen for it to work.
I hope it helps,
PK
04-19-2010 07:05 AM
Webtraffic goes to the ASA, the ASA redirects it to the Websense box which should then send it back to the ASA via the
websense proxy IP. but "show wccp" shows no packets being redirected
04-19-2010 07:22 AM
Start by checking if we have detected the wccp engine.
And also if the redirect ACL has hitcounts on it.
Also wccp debugs could show something interesting maybe.
Still if websense wccp will send to the ASA and not to the host, even fixing the redirect issue will not work in the end.
PK
04-19-2010 07:26 AM
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 0
Redirect access-list: WS-HTTP
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
How do you tell the asa about the cache engine?
04-19-2010 07:45 AM
The find each other through broadcast wccp messages.
Probably they can't communicate and the ASA doesn't see the engine.
Enable wccp event debugs to try to see what is happening, check if the ASA is directly connected with the engine.
PK
04-19-2010 08:05 AM
So if they broadcast, they need to be in the same VLAN?
04-19-2010 09:07 AM
All the debug shows...
Here_I_Am packet from 1.1.1.1: no such service
04-19-2010 09:47 AM
Probably websense is advertising a service that is not service id 80 web-cache that the ASA is expecting.
PK
04-19-2010 01:08 PM
Any other way to troubleshoot this?
04-19-2010 02:34 PM
As advised earlier, websense and ASA integration is not supported since websense normally sends a reply back to ASA unless websense has recently changed their behaviour.
Do you still want to pursue this eventhough it is not supported?
BTW, in regards to redirection, you would need to check with websense what service-id they are using. Currently you configure it as web-cache, and you would need to change it to service-id instead that websense uses.
04-19-2010 04:55 PM
How can it not be supported? Then what is the point of WCCP redirection??? I am not using URL filtering, I am trying to configure WCCP redirection. The issue appears to be the cache engine is not being detected by the ASA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide