cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10221
Views
0
Helpful
15
Replies

WCCP Redirection on ASA

networker99
Level 1
Level 1

I am not able to get WCCP working on the ASA (with Websense).  How does the ASA know the IP address of the websense box as I am unable to see it in the configuration?

Below is what I have configured.  My clients go out to the internet but are not redirected to the websense proxy

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=

Internal proxy (websense) 1.1.1.1

Internal network 1.1.1.1/24

ASA configuration

ACL applied to inside interface

access-list inside_in line 4 extended permit tcp 1.1.1.0 255.255.255.0 any eq ssh
access-list inside_in line 5 extended permit tcp 1.1.1.0 255.255.255.0 any eq ftp

access-list inside_in line 6 extended permit tcp 1.1.1.0 255.255.255.0 any eq https
access-list inside_in line 7 extended permit tcp 1.1.1.0 255.255.255.0 any eq www
access-list inside_in line 8 extended permit ip host 1.1.1.1 any

WCCP traffic for redirection
access-list WS-HTTP line 1 extended deny ip host 1.1.1.1 any
access-list WS-HTTP line 2 extended permit tcp any any eq www

WCCP config

wccp web-cache redirect-list WS-HTTP
wccp interface inside web-cache redirect in

15 Replies 15

Jennifer Halim
Cisco Employee
Cisco Employee

Are you trying to configure URL Filtering to Websense server?

Here is the configuration that you need:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_filter.html#wp1045692

Hope that helps.

No, I am trying to use WCCP to redirect to Websense server, not use URL filtering

I believe with websense, after it receives the GRE encapsulated packets from ASA (as part of the redirection), it will send a reply back to the ASA instead of directly to the host. ASA only supports uni directional GRE, ie: from ASA towards websense, and will not understand the reply sends back by Websense server.

Hence, wccp intergration between ASA and websense is unfortunately not supported. You can use a router instead to redirect the traffic towards websense server.

Here is the WCCP supported configuration on ASA for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html

Hope that helps.

If websense responds to the ASA that redirect the traffic it will not work.

The triangle host to to ASA, ASA to redirect server, server to host has to happen for it to work.

I hope it helps,


PK

Webtraffic goes to the ASA, the ASA redirects it to the Websense box which should then send it back to the ASA via the

websense proxy IP.  but "show wccp" shows no packets being redirected

Start by checking if we have detected the wccp engine.

And also if the redirect ACL has hitcounts on it.

Also wccp debugs could show something interesting maybe.

Still if websense wccp will send to the ASA and not to the host, even fixing the redirect issue will not work in the end.

PK

Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             0
        Number of routers:                   0
        Total Packets Redirected:            0
        Redirect access-list:                WS-HTTP
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

How do you tell the asa about the cache engine?

The find each other through broadcast wccp messages.

Probably they can't communicate and the ASA doesn't see the engine.

Enable wccp event debugs to try to see what is happening, check if the ASA is directly connected with the engine.

PK

So if they broadcast, they need to be in the same VLAN?

All the debug shows...

Here_I_Am packet from 1.1.1.1: no such service

Probably websense is advertising a service that is not service id 80 web-cache that the ASA is expecting.

PK

Any other way to troubleshoot this?

As advised earlier, websense and ASA integration is not supported since websense normally sends a reply back to ASA unless websense has recently changed their behaviour.

Do you still want to pursue this eventhough it is not supported?

BTW, in regards to redirection, you would need to check with websense what service-id they are using. Currently you configure it as web-cache, and you would need to change it to service-id instead that websense uses.

How can it not be supported? Then what is the point of WCCP redirection???  I am not using URL filtering, I am trying to configure WCCP redirection.  The issue appears to be the cache engine is not being detected by the ASA

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: