Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Interface ACL Hits Before WCCP Redirection?

I'm attempting to lock down outbound Internet access on some networks.  I'd like to take the "slow and careful" approach to this by creating individual permissive rules per each subnet and then log the outbound traffic so I know what is going out those networks and bypassing our proxy server (Ironport).

However, I've noticed that although TCP 80 is proxy'd on my networks and the proxy server does appear to be handling those requests I still see hits on my Interface ACLs for those networks as the source address.

For example, let's say my proxy server is 1.1.1.1.

If I proxy via WCCP all traffic from 2.2.2.0/24 I would expect to see 0 hits on my ACL for outbound traffic from 2.2.2.0/24 to any via TCP 80 since the proxy server (1.1.1.1) would be handling it.

However, it does appear that interface ACLS are processed before WCCP redirection rules.

Can anyone confirm?

Edit:  Looking at this more, it appears that Interface ACL permits are required even if the traffic is to be sent through the proxy.  This creates some major issues as there is then, no way to deny non-proxy'd traffic from exiting the network.  Seems like I'm missing something here but this appears to be very broken. 

Edit:  Moved to WSA group as it appears that while hosts are going through the proxy server they are being sent as the originating hosts' source IP Address. 

We do not have the IP Spoofing feature enabled.

2 REPLIES
New Member

Re: Interface ACL Hits Before WCCP Redirection?

Maybe I can rephrase this in an easier fashion to garner some responses.

Does anyone run WCCP redirect to an WSA via a Cisco ASA firewall that doesn't normally permit traffic into the ASA's Inside interface for the originating client?

Thanks!

Interface ACL Hits Before WCCP Redirection?

Traffic will be filtered via the interface ACL (if one is configured) before being redirected to WCCP. The source of the packet will remain as the original as the WSA does not proxy out on behalf of the client. It merely gives a permit/deny and or some caching.

304
Views
0
Helpful
2
Replies