Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1505
Views
0
Helpful
3
Replies

3945 Router Issue between WAAS Module and IOS Firewall

Go to solution
gwhuang5398
Level 2
Level 2

‎10-28-2010 12:51 PM

I have a new 3945 router with a SM-SRE-900 module for WAAS. The 3945 also has IP inspection configured. When IP inspection and WCCP redirection running at the same time, user connections to data center were all lost. If just IP inspection or WCC Rredirection but not both, user connections were good.

I'm feeling the problem is IP inspection not WAAS aware. I tried "ip inpsect waas enable", but the command was not available. The 3945 router, SM-SRE module, and the IOS code, are all newest versions. So I was wondering if anyone has seen the similar issues and had experience of enabling WAAS through IP inspection on those new products.

Here is the configuration info:

3945 G2 ISR: IOS 15.1(1)T1;

SM-SRE-900: WAAS 4.2.3 build7;

3945 LAN interface: ip inspection in and ip wccp 61 redirect in

3945 WAN interface: ip wccp 62 redirect in

3945 SM 1/0 interface: internal connection to SM-SRE module

Between 3945 and SM-SRE module: WCCP GRE redirection and IP Forwarding return.

If you are aware of any 15.1(1)T1 bugs that may be related, please let me know too.

Thanks for any help.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahskhan
Cisco Employee
Cisco Employee
In response to gwhuang5398

‎11-01-2010 06:44 AM

Hi,

   This is in general for IOS / ISR. On CCO we have a very good document for ZBFW and WAAS intigration, see below

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1118498

If you still need to run CBAC, then recommended solution in my first post should work for you.

If the router is in the middle of TCP optamization path, then depending upon optamization product you need to configure the firewall feature like anyother firewall. for Cisco WAAS we have "ip inspect WAAS enable".

Hope this has answer your question. Thanks.

Ahsan Khan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ahskhan
Cisco Employee
Cisco Employee

‎10-28-2010 02:11 PM

WCCP and CBAC can not work together on an IOS router, If you need to enable FW feature set on router while running WCCP please use ZBFW. On the other hand since CBAC is not zone base, and applied on an interface only you can follow below workaround.

3945 LAN interface: ip wccp 62 redirect in / ip wccp 61 redirect out

3945 WAN interface: ip inspect name fw out

3945 SM 1/0 interface: internal connection to SM-SRE module (ip wccp redirect exclude in)

Let me know if this answer your question.

Ahsan Khan

0 Helpful

Go to solution
gwhuang5398
Level 2
Level 2
In response to ahskhan

‎10-31-2010 08:43 AM

Thanks for the info. I'll have to test it to see how it works.

When you say WCCP and CBAC not working together, is it specific to 3945 router or 15.1 IOS? or any ISR and IOS in general?

Is it the same issue if the router is in the middle of a TCP optimization path?

Thanks again

0 Helpful

Go to solution
ahskhan
Cisco Employee
Cisco Employee
In response to gwhuang5398

‎11-01-2010 06:44 AM

Hi,

   This is in general for IOS / ISR. On CCO we have a very good document for ZBFW and WAAS intigration, see below

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1118498

If you still need to run CBAC, then recommended solution in my first post should work for you.

If the router is in the middle of TCP optamization path, then depending upon optamization product you need to configure the firewall feature like anyother firewall. for Cisco WAAS we have "ip inspect WAAS enable".

Hope this has answer your question. Thanks.

Ahsan Khan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents