Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 VPN users with WCCP redirection to IronPort

I have a 5520 ASA using wccp redirection to our IronPorts on the inside and everything works great for inside users. What I'm trying to do is get VPN users off split tunneling and to filter their traffic through the IronPorts as well but I can't figure out how. When they connect they seem to bypass the Ironport completely.

5 REPLIES

ASA 5520 VPN users with WCCP redirection to IronPort

include config mate

Please remember to rate useful posts, by clicking on the stars below.

Super Bronze

ASA 5520 VPN users with WCCP redirection to IronPort

Hi,

We have a few setups with ASA and Ironport.

To my understanding you would have to have a separate device for VPN and have the VPN user web traffic come to the main ASA through the same interface as the LAN users.

The Cisco ASA material states the following

The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client, without going through the ASA.

Theres also a possibility to use a router in front of your ASA to handle the WCCP but this would mean that you need to use different public IPs for all the different groups behind your firewall so you can create separate rules for them.

- Jouni

New Member

Re: ASA 5520 VPN users with WCCP redirection to IronPort

Jouni thank you, so if I'm understanding you correctly, you have multiple ASA's for your setup, one where VPN users authenticate and then connect to the inside interface of a second ASA that has wccp redirection?

Super Bronze

ASA 5520 VPN users with WCCP redirection to IronPort

Hi,

I'm only dealing with a few networks which have Ironport. And the setups are very simple.

All but one of those networks have had a separate device for VPN even before the Ironport was introduced to the network.

  • One setup has Ironport setup together with ASA. VPN termination is handled in a separate device and all Internet/Web traffic of VPN users is routed out of the main ASAs.
  • One setup has a ASA and a router in front of it which handles the WCCP. ASA uses different public NAT address ranges for different internal users and with those address ranges rules are applied on the Ironport. To my understanding to be able to use the ASA in this scenario we would have had to do big changes regarding the setup between ASAs and the internal network.
  • And one of our setups simply has Ironport working only for LAN traffic. VPN users Web traffic isnt going through Ironport.

I'm not the best person to talk about this subject as I just do simple managing of the Ironports and have not really setup them myself.

You could also ask in the Ironport section of these Security forums. Maybe someone reading that section might be able to give you a more thorough explanation of your possibilities regarding the VPN users and WCCP.

- Jouni

New Member

Re: ASA 5520 VPN users with WCCP redirection to IronPort

Jouni thanks again I appreciate the input, I'll continue to search more.

972
Views
5
Helpful
5
Replies
CreatePlease to create content