Having a small challenge here I hope you can help me with. I'll try to explain the problem as best I can (even though my English could be better, and I'm pretty much a novice on the Cisco ASAs :oops: )
A customer of mine is trying to implement the S-series in his network. They have a fairly large WAN and several local networks. The networks and clients are pretty varied - a fine mix of thin and thick clients, some use DHCP while others don't, some authenticates thru various directory services but some do not, etc. So trying the usual strategies like spanning switches, rolling out PACs thru GPO or DHCP etc does not seem like an option here.
The only common denominator is that all the traffic from the networks go thru a Cisco ASA 5550 before hitting the internet. I therefore gathered that using WCCP would help me suck all HTTP traffic via the S-box for filtering.
Now, the 5550 utilizes several physical interfaces - one is set up as the WAN interface, dividing the different WANs into VLANs (about 50 of them). One is set up as the local LAN/management interface. One is set up as the local DMZ interface (where the S-box is placed). Two are set up towards the internet.
I read the "Configuring WCCP on a Cisco ASA" guide on the forum (https://www.ironportnation.com/forums/viewtopic.php?t=961&start=0&postdays=0&postorder=asc&highlight=cisco) but I suspect this was meant for a less complicated setup than the one I'm struggling with. I also noted the comment about only being able to redirect one interface...
I did a limited test, applying WCCP on a single network using the commands found in the above post (and in the Cisco WCCP how-to). Set up the S-box WCCP conf towards its GW. Result is that when I do a 'sho wccp', it seems the ASA actually picks up the S and starts redirecting packets - but web stops working on the network I tried WCCP'ing so I guess something is amiss...
Do anyone have any input on how I can make this work? Is there an easier solution I've overlooked? If any details I can provide would help you help me :wink: please let me know!
Which interface are you using WCCP with on the ASA? The WAN interface?
There are alot of factors that will need looking into. I believe that we should be able to do a redirect out on the WAN interface, but this has several limitations, such as all traffic being sourced from the ASA (NAT).
You may want to give support a call so we can talk this out further. A network diagram would help as well, though your description is pretty good.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :