Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WCCP on ASA

I'm wondering how common it is for folks to make their WCCP their external firewall. This is what our VAR recommended but I am tempted to move it back to our internal L3 switch.

We have had a few odd problems since deployment (about 3-4 weeks ago). First, although the WCCP session looks completely normal, a number of non-http applications broke until we modified the ACL to only redirect HTTP and HTTPS traffic.

Second we have multiple sites (some as common as Hotmail) that sporadically don't work getting 504 errors. We've had 2 or 3 support cases since deployment and have yet to come to absolute resolutions on any of them.

Are there folks out there with successful deployments such as this? What interface has been used as the peer and is there anyway to set it other than with the highest IP address? Does the identifyer address matter at all?

Thanks for any insight.

Scott

5 REPLIES
New Member

Re: WCCP on ASA

I can't speak for the field, but given a choice, I'd recommend doing WCCP on a router, switch, then ASA - in that order.

The WCCP code seems to be more reliable on the routers over the other devices.

I've not heard of needing to use a specific ACL to force the ASA to only send the 80 and 443 traffic.

There is no way, that I'm aware of, to change the Router ID on any of these devices. It is set to the highest configured IP at the time of bootup.

New Member

Re: WCCP on ASA

I moved it to our 6506 last night and things are a bit better. I noticed right away one of the differences - the switch is using L2 WCCP rather than GRE encapsulation. I also did an "any any" rather than the specific ports I had to do on the ASA and everything has been functioning well.

I don't get the impression too many people do it on the ASA and I was surprised initially when our vendor recommended that route.

Thanks for the feedback.

Scott

Re: WCCP on ASA

we have it deployed in this manner and yes you have to specify ports 80, 443 and 8443 for it function properly.

Re: WCCP on ASA

I am new to WCCP can anyone give a sample config for the ASA, the setup is as follows

Inside Network------SW----------ASA---------Internet
|
|
S360

access-list extended s360-wccp deny tcp any 192.168.20.0 255.255.255.0 eq 80
access-list extended s360-wccp deny tcp any 192.168.97.0 255.255.255.0 eq 80
access-list extended s360-wccp deny tcp any 192.168.20.0 255.255.255.0 eq 443
access-list extended s360-wccp deny tcp any 192.168.97.0 255.255.255.0 eq 443
access-list extended s360-wccp permit tcp any any eq 80
access-list extended s360-wccp permit tcp any any eq 443

wccp web-cache
wccp interface inside web-cache redirect-list s360-wccp in

The sample network addresses are those that I do not want to be redirected. Can my configuration work? What else is needed? Thanks.

New Member

Re: WCCP on ASA

If the switch in this scenario supports WCCP, I would use it instead of the ASA. If you must use the ASA, then make sure you are running 7.2(3) or newer code on the ASA. The configuration you listed looks fine, except the redirect-list ACL might be backwards depending on what you are trying to do.

The way the ACL is written, WCCP will ignore traffic with a destination of 192.168.20.0/24 and 192.168.97.0/24, (which may make sense if these are DMZ subnets), but if you are trying to exclude clients in these subnets from redirection, then this ACL should be flipped around. i.e. deny tcp 192.168.20.0 255.255.255.0 any eq 80.

195
Views
0
Helpful
5
Replies