Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Problem with S170 not seeing traffic from users behind a different ASA interface

I posted the following under the Security home page but haven't had any hits in 15 days. Maybe this is a better fit. Anyone have any ideas here?

 

I followed https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration more or less, with the exception of using a service ID of 90 and not the default web-cache service.

The ASA has multiple interfaces in use. The S170 is seeing traffic for all users on the same interface it's on, but it doesn't see traffic on a different interface. The S170 is on the PROD_INTERNAL interface. For the url I noted above, the following comment is made:

"WCCP redirect is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the ASA."

I take it I'm trying to configure this in a way this won't work? Is there a way I can make this work? Here is a portion of the ASA configuration. Thank  you.

 

wccp 90 redirect-list WCCP-REDIRECT-IN group-list WCCP-SERVERS
wccp interface FW_INSIDE 90 redirect in
wccp interface PROD_INTERNAL 90 redirect in
MO-FW1(config)# sh runn | in WCCP
access-list WCCP-REDIRECT-IN extended permit tcp 10.10.100.0 255.255.255.0 any eq www
access-list WCCP-REDIRECT-IN extended permit tcp 10.12.0.0 255.255.0.0 any eq www
access-list WCCP-SERVERS extended permit ip host 10.10.100.10 any
wccp 90 redirect-list WCCP-REDIRECT-IN group-list WCCP-SERVERS

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

This deployment is not

This deployment is not supported.  It is also a hit or miss whether you can make this work.  Do you even see the initial SYN packet from your FW_INSIDE client via a packet capture on the S170?

 

The WSA has to be accessible

The WSA has to be accessible via the same interface the WCCP is running on.  WCCP can't cross the firewall to get to the WSA.

This is an ASA limitation.

 

 

2 REPLIES
Cisco Employee

This deployment is not

This deployment is not supported.  It is also a hit or miss whether you can make this work.  Do you even see the initial SYN packet from your FW_INSIDE client via a packet capture on the S170?

 

The WSA has to be accessible

The WSA has to be accessible via the same interface the WCCP is running on.  WCCP can't cross the firewall to get to the WSA.

This is an ASA limitation.

 

 

65
Views
0
Helpful
2
Replies
CreatePlease to create content