Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
2
Replies

S-series using WCCP on Cisco ASA 5550

magnussolberg_ironport
Level 1
Level 1

‎06-09-2009 01:15 PM

Hi guys,

Having a small challenge here I hope you can help me with. I'll try to explain the problem as best I can (even though my English could be better, and I'm pretty much a novice on the Cisco ASAs :oops: )

A customer of mine is trying to implement the S-series in his network. They have a fairly large WAN and several local networks. The networks and clients are pretty varied - a fine mix of thin and thick clients, some use DHCP while others don't, some authenticates thru various directory services but some do not, etc. So trying the usual strategies like spanning switches, rolling out PACs thru GPO or DHCP etc does not seem like an option here.

The only common denominator is that all the traffic from the networks go thru a Cisco ASA 5550 before hitting the internet. I therefore gathered that using WCCP would help me suck all HTTP traffic via the S-box for filtering.

Now, the 5550 utilizes several physical interfaces - one is set up as the WAN interface, dividing the different WANs into VLANs (about 50 of them). One is set up as the local LAN/management interface. One is set up as the local DMZ interface (where the S-box is placed). Two are set up towards the internet.

I read the "Configuring WCCP on a Cisco ASA" guide on the forum (https://www.ironportnation.com/forums/viewtopic.php?t=961&start=0&postdays=0&postorder=asc&highlight=cisco) but I suspect this was meant for a less complicated setup than the one I'm struggling with. I also noted the comment about only being able to redirect one interface...

I did a limited test, applying WCCP on a single network using the commands found in the above post (and in the Cisco WCCP how-to). Set up the S-box WCCP conf towards its GW. Result is that when I do a 'sho wccp', it seems the ASA actually picks up the S and starts redirecting packets - but web stops working on the network I tried WCCP'ing so I guess something is amiss...

Do anyone have any input on how I can make this work? Is there an easier solution I've overlooked? If any details I can provide would help you help me :wink: please let me know!

Kind regards,
Magnus

Labels:
0 Helpful
2 Replies 2

jowolfer
Level 1
Level 1

‎06-10-2009 04:04 PM

Magnus,

Which interface are you using WCCP with on the ASA? The WAN interface?

There are alot of factors that will need looking into. I believe that we should be able to do a redirect out on the WAN interface, but this has several limitations, such as all traffic being sourced from the ASA (NAT).

You may want to give support a call so we can talk this out further. A network diagram would help as well, though your description is pretty good.

0 Helpful

magnussolberg_ironport
Level 1
Level 1

‎06-11-2009 08:46 AM

Hi Josh,

Ideally, both the WAN interface as well as the LAN should be filtered. However, it seems that when enabling WCCP I can only define a single VLAN (the WAN includes quite a number of these, as said).

I've been in contact with support and as usual got quality help (#466176), unfortunately without getting any further.

I might be able to wrestle a network diagram from my customer - although he's (rightly) a bit hesitant in giving one out, I could probably procure an anonymized version.

Regards,
Magnus

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents