07-02-2014 09:14 AM
I posted the following under the Security home page but haven't had any hits in 15 days. Maybe this is a better fit. Anyone have any ideas here?
I followed https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration more or less, with the exception of using a service ID of 90 and not the default web-cache service.
The ASA has multiple interfaces in use. The S170 is seeing traffic for all users on the same interface it's on, but it doesn't see traffic on a different interface. The S170 is on the PROD_INTERNAL interface. For the url I noted above, the following comment is made:
"WCCP redirect is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the ASA."
I take it I'm trying to configure this in a way this won't work? Is there a way I can make this work? Here is a portion of the ASA configuration. Thank you.
wccp 90 redirect-list WCCP-REDIRECT-IN group-list WCCP-SERVERS
wccp interface FW_INSIDE 90 redirect in
wccp interface PROD_INTERNAL 90 redirect in
MO-FW1(config)# sh runn | in WCCP
access-list WCCP-REDIRECT-IN extended permit tcp 10.10.100.0 255.255.255.0 any eq www
access-list WCCP-REDIRECT-IN extended permit tcp 10.12.0.0 255.255.0.0 any eq www
access-list WCCP-SERVERS extended permit ip host 10.10.100.10 any
wccp 90 redirect-list WCCP-REDIRECT-IN group-list WCCP-SERVERS
Solved! Go to Solution.
07-10-2014 11:00 PM
This deployment is not supported. It is also a hit or miss whether you can make this work. Do you even see the initial SYN packet from your FW_INSIDE client via a packet capture on the S170?
07-15-2014 09:52 AM
The WSA has to be accessible via the same interface the WCCP is running on. WCCP can't cross the firewall to get to the WSA.
This is an ASA limitation.
07-10-2014 11:00 PM
This deployment is not supported. It is also a hit or miss whether you can make this work. Do you even see the initial SYN packet from your FW_INSIDE client via a packet capture on the S170?
07-15-2014 09:52 AM
The WSA has to be accessible via the same interface the WCCP is running on. WCCP can't cross the firewall to get to the WSA.
This is an ASA limitation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: