We need some help in a discussion we are having about wccp and where it needs to be to work right. Also note that I have never done WCCP on the ASA yet so not sure if this will work. Here is the concept.
I-----RTR------ASA------CVPN3030
--- DMZ
--- DMZ2
--- Inside
Above is our current layout. Wccp resides internally on the inside interface on a router just after the ASA inside interface. It works fine for users on the inside network but misses the VPN users terminated on the ASA /3030 outside interface. Thus the problem at hand. WCCP misses these users because they validate the tunnel and then just go right out to the internet.
SO here are the solutions we have come up with,so far. Nothing in stone.
I----RTR---SW---ASA--- CVPN3030
This is the classical way that I can think of that will work placing the wccp at the new switch with an outside interface. This places the wccp server in harms way to be hacked, but will catch the VPN users. There is one other option but not sure it will work and this is where I need help.
I---RTR---ASA---MRG
Could I do the url redirect to this port on the firewall, catch the vpn users, and the users inside too? and then people can go out to the internet? This will semi protect the wccp server too right? Thanks.