Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

wccp re-positioning on a network.

We need some help in a discussion we are having about wccp and where it needs to be to work right. Also note that I have never done WCCP on the ASA yet so not sure if this will work. Here is the concept.


--- DMZ

--- DMZ2

--- Inside

Above is our current layout. Wccp resides internally on the inside interface on a router just after the ASA inside interface. It works fine for users on the inside network but misses the VPN users terminated on the ASA /3030 outside interface. Thus the problem at hand. WCCP misses these users because they validate the tunnel and then just go right out to the internet.

SO here are the solutions we have come up with,so far. Nothing in stone.

I----RTR---SW---ASA--- CVPN3030

This is the classical way that I can think of that will work placing the wccp at the new switch with an outside interface. This places the wccp server in harms way to be hacked, but will catch the VPN users. There is one other option but not sure it will work and this is where I need help.


Could I do the url redirect to this port on the firewall, catch the vpn users, and the users inside too? and then people can go out to the internet? This will semi protect the wccp server too right? Thanks.

Cisco Employee

Re: wccp re-positioning on a network.

You can configure wccp on the ASA and this WILL cover the users who U-Turn off the ASA and go out to the internet in addition to all the users who are already on the inside.


Here is the documentation link to configure WCCP on the ASA.

CreatePlease to create content