Can someone help clarrify some things. I read that WCCP is supposed to support failover. I want to WCCP redirect some web traffic to a proxy. If that proxy is not avvailable the I want to redirect it to another "backup" proxy but when looking at the WCCP settings in ASDM and the cli commands I dont see where yuo configure a second address to redirect to. How does this failover actually work?
Great that explains it thanks. From what im reading about ASA WCCP implemntation the client and the "proxy" have to both be reachable on the same interface as WCCP. You cant redirect the request to a "proxy" that might be sitting on a DMZ of another interface, is that correct?
In this case what if the "proxy" is on another vlan that is still on the same interface, is that ok?
What if the "proxy" is on another subnet, maybe even a different location. Is it still ok provided that is reached via the same interface the original request was recieved on?
Also one more thing I read that there has to be a rule permitting the traffic for WCCP to intercept it. IS that correct? So that would mean if I want to recirect all traffic from host A out to te internet then not only do I have to put an ACL in the WCCP to redirect traffic from that host but there must also be a rule saying Host A on ANY port has a permit tot he internet? That seems risky to me, if your "proxy" goes down wont it just thne allow the traffic out? I would not want that.
Same interface in this case means same instance of interface (as seen in "show nameif").
You are also correct on the ACL issue. ACLs ARE processed before WCCP.
An ingress access list entry always takes higher priority over WCCP. For example, if an access list does not permit a client to communicate with a server, then traffic is not redirected to a cache engine. Both ingress interface access lists and egress interface access lists are applied.
But that actually helps you address a situation where users could access internet without WCCP present.
On the outside interface in egress direction you can DENY any tcp/80 traffic unless it's coming from one of the proxies.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...