I'm wondering how common it is for folks to make their WCCP their external firewall. This is what our VAR recommended but I am tempted to move it back to our internal L3 switch.
We have had a few odd problems since deployment (about 3-4 weeks ago). First, although the WCCP session looks completely normal, a number of non-http applications broke until we modified the ACL to only redirect HTTP and HTTPS traffic.
Second we have multiple sites (some as common as Hotmail) that sporadically don't work getting 504 errors. We've had 2 or 3 support cases since deployment and have yet to come to absolute resolutions on any of them.
Are there folks out there with successful deployments such as this? What interface has been used as the peer and is there anyway to set it other than with the highest IP address? Does the identifyer address matter at all?
I moved it to our 6506 last night and things are a bit better. I noticed right away one of the differences - the switch is using L2 WCCP rather than GRE encapsulation. I also did an "any any" rather than the specific ports I had to do on the ASA and everything has been functioning well.
I don't get the impression too many people do it on the ASA and I was surprised initially when our vendor recommended that route.
If the switch in this scenario supports WCCP, I would use it instead of the ASA. If you must use the ASA, then make sure you are running 7.2(3) or newer code on the ASA. The configuration you listed looks fine, except the redirect-list ACL might be backwards depending on what you are trying to do.
The way the ACL is written, WCCP will ignore traffic with a destination of 192.168.20.0/24 and 192.168.97.0/24, (which may make sense if these are DMZ subnets), but if you are trying to exclude clients in these subnets from redirection, then this ACL should be flipped around. i.e. deny tcp 192.168.20.0 255.255.255.0 any eq 80.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...