ASA: WCCP step by step configuration

Document

Aug 15, 2010 3:23 PM
Aug 15th, 2010

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1002608

Prerequisite

The ASA must be running minimum 7.2.1 code to be able to configure WCCP feature.

Limitations

  1. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
  2. Router ID is chosen as the highest IP address configured on the ASA.  If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface.

Topology

wccp-topo.png

How wccp works

  • PC makes a request to a website.
  • ASA receives the request and re-directs it to the wccp server in an encapsulated GRE packet to avoid any modifycations to the original packet.
  • WCCP receives the packet and sends the response directly to the PC.

Step by Step Configuration

1. Configure an access-list containing all members of WCCP servers.

There is only one WCCP server in this example.

ASA(config)#access-list wccp-servers permit ip host 192.168.6.10 any

2. Create an access-list of the traffic that needs to be re-directed to WCCP

The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list. The access
list should only contain network addresses. Port-specific entries are not supported.

ASA(config)#access-list wccp-traffic permit ip 192.168.6.0 255.255.255.0 any

3. Enable WCCP

ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic

4. Enable WCCP redirection on the inside interface

The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines

ASA(config)#wccp interface inside web-cache redirect in

5. Enabling WCCP to redirect native FTP traffic to a cache engine, using service 60

Verify with the WCCP provider regarding service IDs that they support. You can identify a service number between 0 and 254.

ASA(config)#wccp interface inside service 60 redirect in

Final Configuration Section:


access-list wccp-traffic extended permit ip 192.168.6.0 255.255.255.0 any

!
access-list wccp-servers extended permit ip host 192.168.6.10 any

!
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in

Show commands and debugs:

show wccp web-cache

show wccp interface

debug wccp event

debug wccp packets

Average Rating: 5 (2 ratings)

Comments

sjanke@asgr Wed, 01/09/2013 - 09:50

i suspect to exclude a host from being redirected by wccp you would add a "deny" ace to the acl wccp-servers?

Jouni Forss Wed, 01/09/2013 - 09:54 (reply to sjanke@asgr)

Hi,

Yes, you should add source or destination networks as "deny" ACL rules on the "wccp-traffic" ACL

Be fure to add them on the top of the ACL so they apply to the traffic before the "permit ip any any" type rules.

- Jouni

atunin Thu, 04/11/2013 - 07:01

Hi!

Can asa support two wccp groups in same direction on the same interface ?

lalainaconnectic Thu, 10/17/2013 - 02:07

Hi;

I test wccp in my ASA and when i do the show :

ASA-INTERNET-DRC# sh wccp web-cache

Global WCCP information:

    Router information:

        Router Identifier:                   192.168.1.1

        Protocol Version:                    2.0

    Service Identifier: web-cache

        Number of Cache Engines:             1

        Number of routers:                   1

        Total Packets Redirected:            149

        Redirect access-list:                wccp-traffic

        Total Connections Denied Redirect:   0

        Total Packets Unassigned:            0

        Group access-list:                   wccp-servers

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total Bypassed Packets Received:     149

Why the Total Bypassed Packets Received and  Total Packets Redirected have the same value.

Thank.

Lalaina

shariq.riazi Sun, 01/19/2014 - 22:41

I have two wccp servers but at a time only one works and other dont. Do i have to do special configuration on the firewall. Does it support multiple servers in the same WCCP group.

Actions

Login or Register to take actions

This Document

Posted August 15, 2010 at 3:23 PM
Stats:
Comments:7 Avg. Rating:5
Views:48510 Contributors:6
Shares:2

Related Content

Documents Leaderboard