This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
The ASA must be running minimum 7.2.1 code to be able to configure WCCP feature.
- The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
- Router ID is chosen as the highest IP address configured on the ASA. If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface.
How wccp works
- PC makes a request to a website.
- ASA receives the request and re-directs it to the wccp server in an encapsulated GRE packet to avoid any modifycations to the original packet.
- WCCP receives the packet and sends the response directly to the PC.
Step by Step Configuration
1. Configure an access-list containing all members of WCCP servers.
There is only one WCCP server in this example.
ASA(config)#access-list wccp-servers permit ip host 192.168.6.10 any
2. Create an access-list of the traffic that needs to be re-directed to WCCP
The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list. The access
list should only contain network addresses. Port-specific entries are not supported.
ASA(config)#access-list wccp-traffic permit ip 192.168.6.0 255.255.255.0 any
3. Enable WCCP
ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic
4. Enable WCCP redirection on the inside interface
The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines
ASA(config)#wccp interface inside web-cache redirect in
5. Enabling WCCP to redirect native FTP traffic to a cache engine, using service 60
Verify with the WCCP provider regarding service IDs that they support. You can identify a service number between 0 and 254.
ASA(config)#wccp interface inside service 60 redirect in
Final Configuration Section:
access-list wccp-traffic extended permit ip 192.168.6.0 255.255.255.0 any
access-list wccp-servers extended permit ip host 192.168.6.10 any
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in
Show commands and debugs:
show wccp web-cache
show wccp interface
debug wccp event
debug wccp packets