Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1186
Views
5
Helpful
5
Replies

ASA 5520 VPN users with WCCP redirection to IronPort

rwharris13
Level 1
Level 1

‎04-12-2012 11:32 AM - edited ‎03-11-2019 03:53 PM

I have a 5520 ASA using wccp redirection to our IronPorts on the inside and everything works great for inside users. What I'm trying to do is get VPN users off split tunneling and to filter their traffic through the IronPorts as well but I can't figure out how. When they connect they seem to bypass the Ironport completely.

Labels:
0 Helpful
5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

‎04-12-2012 06:59 PM

include config mate

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Dennis Mink

‎04-13-2012 12:12 AM

Hi,

We have a few setups with ASA and Ironport.

To my understanding you would have to have a separate device for VPN and have the VPN user web traffic come to the main ASA through the same interface as the LAN users.

The Cisco ASA material states the following

The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client, without going through the ASA.

Theres also a possibility to use a router in front of your ASA to handle the WCCP but this would mean that you need to use different public IPs for all the different groups behind your firewall so you can create separate rules for them.

- Jouni

rwharris13
Level 1
Level 1
In response to Jouni Forss

‎04-13-2012 06:06 AM

Jouni thank you, so if I'm understanding you correctly, you have multiple ASA's for your setup, one where VPN users authenticate and then connect to the inside interface of a second ASA that has wccp redirection?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to rwharris13

‎04-13-2012 10:29 AM

Hi,

I'm only dealing with a few networks which have Ironport. And the setups are very simple.

All but one of those networks have had a separate device for VPN even before the Ironport was introduced to the network.

  • One setup has Ironport setup together with ASA. VPN termination is handled in a separate device and all Internet/Web traffic of VPN users is routed out of the main ASAs.
  • One setup has a ASA and a router in front of it which handles the WCCP. ASA uses different public NAT address ranges for different internal users and with those address ranges rules are applied on the Ironport. To my understanding to be able to use the ASA in this scenario we would have had to do big changes regarding the setup between ASAs and the internal network.
  • And one of our setups simply has Ironport working only for LAN traffic. VPN users Web traffic isnt going through Ironport.

I'm not the best person to talk about this subject as I just do simple managing of the Ironports and have not really setup them myself.

You could also ask in the Ironport section of these Security forums. Maybe someone reading that section might be able to give you a more thorough explanation of your possibilities regarding the VPN users and WCCP.

- Jouni

0 Helpful

rwharris13
Level 1
Level 1
In response to Jouni Forss

‎04-17-2012 09:56 AM

Jouni thanks again I appreciate the input, I'll continue to search more.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card