NAT and WCCP in Branch Office

Unanswered Question
Aug 17th, 2010

Hello,

I have been looking for information relating to the configuration of WCCP in relation to standard client side NAT of private addresses. NAT order of operations gives some indication of how it works but I am wondering if there is any recommended guidelines to insure NAT and WCCP function correctly with the desired outcome being both non NAT and NATed traffic is accelerated.

I have attached a diagram for reference.

In Scenerio 1.

Redirection is WCCP GRE/IP Forwarding,

The WAE is on its own subnet.

A redirection list only redirects traffic between the DC and the BO public range (including NAT global) on the WAN interface (in and out).

Internal Public non-Nat'ed traffic shows up in the connection statistics optimized but the NAT global addresses show up on the DC WAE as "PT no Peer"

In Scenerio 2.

Redirection out of the WAN interface is moved to (in) the LAN interface of the router and the redirect ACL is expanded to include ANY-DC, DC-ANY ( including the private 172.x.x.x/xx range)

This breaks NAT. I assume  because wccp occurs before NAT (inside-outside).

From the information I have found I guess

1. Redirection should be oubound in one direction (WAN interface) if IP CEF is enabled ?

2. the WAE interface should be in NAT inside and the redirect ACL include the private inside range ?

Thanks for any advice.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Bhavin Yadav Fri, 08/27/2010 - 12:07

Hi,

I was trying to look for an answer to your question and this is the best I found to help you address your issue. I am not sure whether this will resovle your problem but defining proper order of IOS commands will certainly help here.

For general reference, the usual Cisco IOS Software order of operation on software-based platforms is noted below:

Inside to outside:
1. decryption
2. input ACL
3. inspect
4. routing
5. WCCP
6. Network Address Translation (NAT) inside to outside
7. crypto (check map and mark for encryption)
8. output ACL
9. inspect

Outside to inside:
1. decryption
2. input ACL
3. inspect
4. NAT outside to inside
5. WCCP
6. routing
7. crypto (check map and mark for encryption)
8. output ACL
9. inspect

If you follow the NAT'ing rule above, it should work with NAT.

Regards.

PS: If this addresses the issue, please mark it as Answered.

charindso Wed, 09/01/2010 - 04:40

Thanks Bhavin for the reply.

I had looked at the NAT order of operation which does give some indication of how the config should be. If wccp occurs before NAT then configuring  redirection on the LAN side interface and configuring the WAE interface as NAT inside may work. I will test further but thanks.

Actions

This Discussion