cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
0
Helpful
2
Replies

Problem with S170 not seeing traffic from users behind a different ASA interface

baskervi
Level 1
Level 1

I posted the following under the Security home page but haven't had any hits in 15 days. Maybe this is a better fit. Anyone have any ideas here?

 

I followed https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration more or less, with the exception of using a service ID of 90 and not the default web-cache service.

The ASA has multiple interfaces in use. The S170 is seeing traffic for all users on the same interface it's on, but it doesn't see traffic on a different interface. The S170 is on the PROD_INTERNAL interface. For the url I noted above, the following comment is made:

"WCCP redirect is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the ASA."

I take it I'm trying to configure this in a way this won't work? Is there a way I can make this work? Here is a portion of the ASA configuration. Thank  you.

 

wccp 90 redirect-list WCCP-REDIRECT-IN group-list WCCP-SERVERS
wccp interface FW_INSIDE 90 redirect in
wccp interface PROD_INTERNAL 90 redirect in
MO-FW1(config)# sh runn | in WCCP
access-list WCCP-REDIRECT-IN extended permit tcp 10.10.100.0 255.255.255.0 any eq www
access-list WCCP-REDIRECT-IN extended permit tcp 10.12.0.0 255.255.0.0 any eq www
access-list WCCP-SERVERS extended permit ip host 10.10.100.10 any
wccp 90 redirect-list WCCP-REDIRECT-IN group-list WCCP-SERVERS

 

2 Accepted Solutions

Accepted Solutions

Vance Kwan
Cisco Employee
Cisco Employee

This deployment is not supported.  It is also a hit or miss whether you can make this work.  Do you even see the initial SYN packet from your FW_INSIDE client via a packet capture on the S170?

 

View solution in original post

The WSA has to be accessible via the same interface the WCCP is running on.  WCCP can't cross the firewall to get to the WSA.

This is an ASA limitation.

 

 

View solution in original post

2 Replies 2

Vance Kwan
Cisco Employee
Cisco Employee

This deployment is not supported.  It is also a hit or miss whether you can make this work.  Do you even see the initial SYN packet from your FW_INSIDE client via a packet capture on the S170?

 

The WSA has to be accessible via the same interface the WCCP is running on.  WCCP can't cross the firewall to get to the WSA.

This is an ASA limitation.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: