I am not able to get WCCP working on the ASA (with Websense). How does the ASA know the IP address of the websense box as I am unable to see it in the configuration?
Below is what I have configured. My clients go out to the internet but are not redirected to the websense proxy
Internal proxy (websense) 220.127.116.11
Internal network 18.104.22.168/24
ACL applied to inside interface
access-list inside_in line 4 extended permit tcp 22.214.171.124 255.255.255.0 any eq ssh
access-list inside_in line 5 extended permit tcp 126.96.36.199 255.255.255.0 any eq ftp
access-list inside_in line 6 extended permit tcp 188.8.131.52 255.255.255.0 any eq https
access-list inside_in line 7 extended permit tcp 184.108.40.206 255.255.255.0 any eq www
access-list inside_in line 8 extended permit ip host 220.127.116.11 any
WCCP traffic for redirection
access-list WS-HTTP line 1 extended deny ip host 18.104.22.168 any
access-list WS-HTTP line 2 extended permit tcp any any eq www
wccp web-cache redirect-list WS-HTTP
wccp interface inside web-cache redirect in
Are you trying to configure URL Filtering to Websense server?
Here is the configuration that you need:
Hope that helps.
I believe with websense, after it receives the GRE encapsulated packets from ASA (as part of the redirection), it will send a reply back to the ASA instead of directly to the host. ASA only supports uni directional GRE, ie: from ASA towards websense, and will not understand the reply sends back by Websense server.
Hence, wccp intergration between ASA and websense is unfortunately not supported. You can use a router instead to redirect the traffic towards websense server.
Here is the WCCP supported configuration on ASA for your reference:
Hope that helps.
If websense responds to the ASA that redirect the traffic it will not work.
The triangle host to to ASA, ASA to redirect server, server to host has to happen for it to work.
I hope it helps,
Webtraffic goes to the ASA, the ASA redirects it to the Websense box which should then send it back to the ASA via the
websense proxy IP. but "show wccp" shows no packets being redirected
Start by checking if we have detected the wccp engine.
And also if the redirect ACL has hitcounts on it.
Also wccp debugs could show something interesting maybe.
Still if websense wccp will send to the ASA and not to the host, even fixing the redirect issue will not work in the end.
Global WCCP information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 0
Redirect access-list: WS-HTTP
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
How do you tell the asa about the cache engine?
The find each other through broadcast wccp messages.
Probably they can't communicate and the ASA doesn't see the engine.
Enable wccp event debugs to try to see what is happening, check if the ASA is directly connected with the engine.
As advised earlier, websense and ASA integration is not supported since websense normally sends a reply back to ASA unless websense has recently changed their behaviour.
Do you still want to pursue this eventhough it is not supported?
BTW, in regards to redirection, you would need to check with websense what service-id they are using. Currently you configure it as web-cache, and you would need to change it to service-id instead that websense uses.
How can it not be supported? Then what is the point of WCCP redirection??? I am not using URL filtering, I am trying to configure WCCP redirection. The issue appears to be the cache engine is not being detected by the ASA
It appears the service group is not registered with the ASA.
Websense uses service group 0 (http) and 70 (https) by default. While web-cace should be service group 0, I suggest using 0 as the service group number. Once the proxy has registered with the ASA, the proxy's IP address should show up.
Other items to check for a service group not registering:
- Is UDP port 2048 open between the proxy and ASA (for WCCP messages) (Debug implies this is working )
- Is the router ID of the ASA routable? (i.e. can the proxy ping the router id)
As far as the return issue. I am not sure which return is in question. If the WCCP return (for bypassed packets in the case of a non-proxy site or load shedding) those will be presented to the ASA via L2 (ip forwarding in some contexts) by Websense and that needs to be reviewed in the design to prevent a loop.