Can someone help clarrify some things. I read that WCCP is supposed to support failover. I want to WCCP redirect some web traffic to a proxy. If that proxy is not avvailable the I want to redirect it to another "backup" proxy but when looking at the WCCP settings in ASDM and the cli commands I dont see where yuo configure a second address to redirect to. How does this failover actually work?
Great that explains it thanks. From what im reading about ASA WCCP implemntation the client and the "proxy" have to both be reachable on the same interface as WCCP. You cant redirect the request to a "proxy" that might be sitting on a DMZ of another interface, is that correct?
In this case what if the "proxy" is on another vlan that is still on the same interface, is that ok?
What if the "proxy" is on another subnet, maybe even a different location. Is it still ok provided that is reached via the same interface the original request was recieved on?
Also one more thing I read that there has to be a rule permitting the traffic for WCCP to intercept it. IS that correct? So that would mean if I want to recirect all traffic from host A out to te internet then not only do I have to put an ACL in the WCCP to redirect traffic from that host but there must also be a rule saying Host A on ANY port has a permit tot he internet? That seems risky to me, if your "proxy" goes down wont it just thne allow the traffic out? I would not want that.
Same interface in this case means same instance of interface (as seen in "show nameif").
You are also correct on the ACL issue. ACLs ARE processed before WCCP.
An ingress access list entry always takes higher priority over WCCP. For example, if an access list does not permit a client to communicate with a server, then traffic is not redirected to a cache engine. Both ingress interface access lists and egress interface access lists are applied.
But that actually helps you address a situation where users could access internet without WCCP present.
On the outside interface in egress direction you can DENY any tcp/80 traffic unless it's coming from one of the proxies.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :