topic This is an ASA limitation. in Web Security

WCCP communication issue between ASA and WSA

Chirag Prajapati — Mon, 28 Jul 2014 14:42:00 GMT

Hi,

I am trying to setup wccp for my guest wifi setup for internet connectivity. I can see the traffic is redirected as per the below output but internet is not working on client system.

In my setup I have Client connected through wifi has default gateway as ASA and WSA connected to another interface of the same ASA. Communication flow will be like this. Attached network diagram.

Client --> ASA (inside) ---> WSA (ASA DMZ interface) ---> Internet

Client subnet : 192.168.230.0/24

WSA inside : 10.231.47.0/26

WSA default route pointing to internet router.

============================

Below is the output from ASA.

sh wccp 90 detail

WCCP Cache-Engine information:
Web Cache ID: 10.231.47.6
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets Redirected: 916
Connect Time: 2d23h

This is an ASA limitation.

Vance Kwan — Tue, 29 Jul 2014 05:27:06 GMT

This is an ASA limitation. WCCP redirection is only supported when the client and the wccp device is behind the same ASA interface.

Are you able to utilize a second interface on the WSA and connect it to your Inside network?

Hi,I have used both P1 & P2

Chirag Prajapati — Tue, 29 Jul 2014 06:22:44 GMT

Hi,

I have used both P1 & P2 for inside and internet connectivity. Not sure if i can use any other interface of WSA for this setup.

Any possibility to create subinterface on WSA?

Regards

Chirag

You can create a sub

Vance Kwan — Tue, 29 Jul 2014 16:34:01 GMT

You can create a sub interface by going to the SSH and using the 'etherconfig' command, and adding a new interface and specify it to use a specific VLAN. Not sure if it can work for your purposes though.

Thanks, I will try for

Chirag Prajapati — Wed, 30 Jul 2014 10:42:58 GMT

Thanks, I will try for subinterface.

As per my setup, WSA(Prosy) will direct all internet connection towards internet instead of ASA.

1) Still i need NAT on ASA for my client subnet? (I dont think its required Pl confirm)

2) Do i need to configure WPAD (Pac file hosting) on WSA? My understandin is all internet traffic will be redirected by ASA to WSA hence no need of proxy script, Pl confirm.

3) if second step is not required then how client internet request will redirect to proxy through wccp on ASA on port 83 on which proxy is running.

Regards

Chirag