ASA: WCCP step by step configuration

Document

Apr 23, 2015 1:17 PM
Aug 15th, 2010

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1002608

Prerequisite

The ASA must be running minimum 7.2.1 code to be able to configure WCCP feature.

Limitations

  1. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
  2. Router ID is chosen as the highest IP address configured on the ASA.  If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface.

Topology

wccp-topo.png

How wccp works

  • PC makes a request to a website.
  • ASA receives the request and re-directs it to the wccp server in an encapsulated GRE packet to avoid any modifycations to the original packet.
  • WCCP receives the packet and sends the response directly to the PC.

Step by Step Configuration

1. Configure an access-list containing all members of WCCP servers.

There is only one WCCP server in this example.

ASA(config)#access-list wccp-servers permit ip host 192.168.6.10 any

2. Create an access-list of the traffic that needs to be re-directed to WCCP

The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list. The access
list should only contain network addresses. Port-specific entries are not supported.

ASA(config)#access-list wccp-traffic permit ip 192.168.6.0 255.255.255.0 any

3. Enable WCCP

ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic

4. Enable WCCP redirection on the inside interface

The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines

ASA(config)#wccp interface inside web-cache redirect in

5. Enabling WCCP to redirect native FTP traffic to a cache engine, using service 60

Verify with the WCCP provider regarding service IDs that they support. You can identify a service number between 0 and 254.

ASA(config)#wccp interface inside service 60 redirect in

Final Configuration Section:


access-list wccp-traffic extended permit ip 192.168.6.0 255.255.255.0 any

!
access-list wccp-servers extended permit ip host 192.168.6.10 any

!
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in

Show commands and debugs:

show wccp web-cache

show wccp interface

debug wccp event

debug wccp packets

Overall Rating: 3.7 (3 ratings)
sjanke@asgr Wed, 01/09/2013 - 09:50

i suspect to exclude a host from being redirected by wccp you would add a "deny" ace to the acl wccp-servers?

Jouni Forss Wed, 01/09/2013 - 09:54

Hi,

Yes, you should add source or destination networks as "deny" ACL rules on the "wccp-traffic" ACL

Be fure to add them on the top of the ACL so they apply to the traffic before the "permit ip any any" type rules.

- Jouni

sjanke@asgr Wed, 01/09/2013 - 10:43

you are the best, thans for the reply.

csco12434455 Fri, 04/03/2015 - 03:58

hi,

please i have a little problem on denying some ip address from been cached on my cache box. i used my cached box to block many websites on my inside network 192.168.1.0/24. but i want to permit a few ip addresses to have access to those website by doing this on my firewall ASA.

 

access-list wccp-users line 2 extended deny tcp host 192.168.1.77 host 192.168.1.18 eq www                                                                                        .
access-list wccp-users line 3 extended deny tcp host 192.168.1.18 host 192.168.1.77 eq www                                                                                       
access-list wccp-users line 4 extended deny tcp host 192.168.1.18 host 192.168.1.81 eq www                                                                                        .
access-list wccp-users line 5 extended deny tcp host 192.168.1.81 host 192.168.1.18 eq www                                                                                       
access-list wccp-users line 6 extended permit tcp 172.168.1.0 255.255.255.0 any eq www                                                                                       
access-list wccp-users line 7 extended permit ip 172.168.1.0 255.255.255.0 any
access-list wccp-users line 8 extended permit ip any any
omsasa(config)#access-list wccp-server extended permit ip host 192.168.1.18 any

my cache box ip is 192.168.1.18.

after my configuration, the cached box still deny those two ip addresses - (192.168.1.77 and 192.168.1.81) from accessing those blocked websites. please i need a help on how to get this problem solved. my aim is to see that these two ip addresses is not been cached by the cache box. thanks.

 

 

 

junaidboss Fri, 04/10/2015 - 21:54

Hi Team,

Could you please explain this more.

I got to know that "In redirect-list, the access list should only contain network addresses. Port-specific entries are not supported."

Which means that if you have port-specific entries in ACL than this would not work.

But I did this for my client and also seen many example for the same and it works fine.

If we do not define port-specific entries in ACL  than WCCP will unnecessarily redirect all the traffic towards WSA which is of no use.

 

Can someone please explain it more in details.

 

 

atunin Thu, 04/11/2013 - 07:01

Hi!

Can asa support two wccp groups in same direction on the same interface ?

lalainaconnectic Thu, 10/17/2013 - 02:07

Hi;

I test wccp in my ASA and when i do the show :

ASA-INTERNET-DRC# sh wccp web-cache

Global WCCP information:

    Router information:

        Router Identifier:                   192.168.1.1

        Protocol Version:                    2.0

    Service Identifier: web-cache

        Number of Cache Engines:             1

        Number of routers:                   1

        Total Packets Redirected:            149

        Redirect access-list:                wccp-traffic

        Total Connections Denied Redirect:   0

        Total Packets Unassigned:            0

        Group access-list:                   wccp-servers

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total Bypassed Packets Received:     149

Why the Total Bypassed Packets Received and  Total Packets Redirected have the same value.

Thank.

Lalaina

shariq.riazi Sun, 01/19/2014 - 22:41

I have two wccp servers but at a time only one works and other dont. Do i have to do special configuration on the firewall. Does it support multiple servers in the same WCCP group.

tabdulla Sun, 04/27/2014 - 03:57

WCCP redirect is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_wccp.html#wp1002608

 

 

 

 

Shiva Prasad Mon, 06/30/2014 - 07:48

How do i configure the asa so that all tcp and all udp traffic is redirected to the wccp server ? instead of just web-cache

Cheers,

Shiva

 

nanijjar Wed, 08/13/2014 - 16:03

Hi,

 

I have two WSA s680s and wondering if ASA can use both for HA or load balance between the two WSAs.

 

Thanks,

Nav

csco12434455 Tue, 10/21/2014 - 04:00

Hi, thanks for the information, but i think my own topology is different. i have the ASA firewall which is connected to the outside interface and a cisco router connected to my inside interface of my ASA with this subnet 192.168.5.0/30 and my inside network from the router is 192.168.1.0/24. also th Cache engine is in the same subnet with my inside network. so after configuring WCCP on the ASA, this is what i got and it can't redirect to the Cache Engine. please i need someone to help me. Do i need to do any configuration on the router or further configuration on the ASA before it will redirect http and https?

 

omsasa(config)# sh wccp 90

Global WCCP information:
    Router information:
        Router Identifier:                   217.14.85.227
        Protocol Version:                    2.0

    Service Identifier: 90
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp-users
        Total Connections Denied Redirect:   52208
        Total Packets Unassigned:            0
        Group access-list:                   wccp-server
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

omsasa(config)# sh wccp 70

Global WCCP information:
    Router information:
        Router Identifier:                   217.14.85.227
        Protocol Version:                    2.0

    Service Identifier: 70
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp-able
        Total Connections Denied Redirect:   27836
        Total Packets Unassigned:            0
        Group access-list:                   wccp-server
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

This is my wccp configuration on my ASA

omsasa(config)# sh run wccp
wccp 70 redirect-list wccp-able group-list wccp-server
wccp 90 redirect-list wccp-users group-list wccp-server
wccp interface inside 70 redirect in
wccp interface inside 90 redirect in

omsasa(config)# sh run access-list wccp-users
access-list wccp-users remark bypass proxy
access-list wccp-users remark proxy access
access-list wccp-users extended deny ip any any
access-list wccp-users extended permit tc92.168.1.0 255.255.255.0 host 192.168.1.18  eq www                                                                                     
access-list wccp-users extended permit tcp 192.168.5.0 255.255.255.252 host 192.168.1.18  eq www

omsasa(config)# sh run access-list wccp-able
access-list wccp-able remark bypass proxy
access-list wccp-able remark proxy access
access-list wccp-able extended deny ip any any
access-list wccp-able extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.18 eq https
access-list wccp-able extended permit tcp 192.168.5.0 255.255.255.252 host 192.168.1.18 eq https

Vibhor Amrodia Tue, 10/21/2014 - 04:11

Hi,

All the packets are being denied the Redirection as you can see using this counter:-

Total Connections Denied Redirect:  

This is due to the Redirect ACL with deny ip any any above the allow ACE.

Move the permit ACE above this and that should resolve this issue.

Thanks and Regards,

Vibhor Amrodia

rikherlaar Sun, 11/23/2014 - 08:27

Hi,

The accompanying topology is not very clear to be honest , your definition of WCCP seems inaccurate to me - because the ASA acts as server and the Cache Engine , proxy , WAE etc is the client.

Also suggest you move your PC's one or two hops behind a Campus switch to make it more realistic. The drawing seems to suggest the client PC's  need to be at the same segment as your inside interface of the ASA which is not true to the best of my knowledge - only the WCCP client and Server (respectively WAE/WSA and ASA)  need to adhere to that requirement.

Also would be good to explain that ASA is doing everything in SW (it can only handle GRE outgoing and return - not L2 ) and is therefore not a suitable platform for sizable designs.In our experience - around 8000 GRE sessions is about the upper limit - can you confirm this ?

 

regards

 

/R

expertadvisor20151 Sat, 01/24/2015 - 13:37

Cisco has a new solution called ITD, which is much superior than WCCP.

Please see the blog : ITD: Load Balancing, Traffic Steering & Clustering using Nexus 5k/6k/7k

 

For example, here is a comparison of ITD with WCCP on Nexus switches:

Feature/Benefit

N7k WCCP

N7k ITD

Appliance is unaware of the protocol

No

Yes

Protocol support

IPv4

IPv4, IPv6

Number of TCAM entries

(say, 100 SVI, 8 nodes, 20 ACEs)

Very High

16000

Very low

160

Weighted load-balancing

No

Yes

User can specify which bits to use for load-balancing

No

Yes

Number of nodes

32

256

Support for IPSLA probes

No

Yes

Support for Virtual IP

No

Yes

Support for L4-port load-balancing

No

Yes

Capability to choose src or dest IP for load-balancing

No

Yes

Customer support needs to look at switch only, or both the switch and appliance

Both

Switch only

Supervisor CPU Overhead

High

None

DCNM Support

No

Yes

Robert Rowland III Wed, 04/01/2015 - 11:09

EA,

  ITD -might- be a great solution, but the documentation is abysmal which renders it unusable.

rikherlaar Thu, 04/23/2015 - 13:17

I would agree - I didn't see much documentation explaining a one-on-one replacement model for WCCP. Obviously this is beyond the scope of ASA to start with but even so...

The numbers shown above look impressive but it would be nicer to see the "source" and a link to a decent Deployment / Implementation Guide.

 

fabasoft-534 Tue, 04/21/2015 - 00:07

Hi, you are wrong. In the context of WCCP the ASA is the WCCP server and the cache engine is the WCCP client.

br Fritz

Actions

Login or Register to take actions

This Document

Posted August 15, 2010 at 3:23 PM
Updated November 9, 2010 at 8:54 AM
Stats:
Comments:19 Overall Rating:3.7
Views:64933 Contributors:16
Shares:29

Related Content