topic Re: WCCP Redirection on Firepower FTD 2110 in Network Security

WCCP Redirection on Firepower FTD 2110

nimalrajphilips — Fri, 21 Feb 2020 14:47:47 GMT

Hello All,

Has anyone configured transparent WCCP redirection on Cisco FTD managed by FMC? I couldn't find any online referrals for this. Appreciate the expert help.

Thank you

Nimalraj

Re: WCCP Redirection on Firepower FTD 2110

Marvin Rhoads — Thu, 07 Dec 2017 13:32:12 GMT

There is a flexconfig template for it as of release 6.2. I've not had any success with getting it to work just yet though.

I admit comprehension of the Velocity scripting language they use in the template is poor ...but the explanation of the template is even more poor. 🙂

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html#id_39923

Re: WCCP Redirection on Firepower FTD 2110

sajjadazamkhan-sirius — Tue, 09 Jan 2018 13:46:50 GMT

Marvin, did you had any luck with WCCP in getting it to work?

Re: WCCP Redirection on Firepower FTD 2110

Marvin Rhoads — Wed, 10 Jan 2018 01:32:43 GMT

No - I haven't had time to dig back into it. It's on my "to do list" though.

I'd be happy to learn from somebody else though.

Re: WCCP Redirection on Firepower FTD 2110

rpineur — Fri, 12 Jan 2018 18:35:36 GMT

This is what I ended up with for wccp in FlexConfig.

wccp 80 redirect-list $wccpRedirectList group-list $wccpGroupList password @wccpPassword

wccp interface egh-inside 80 redirect in

Just the two lines. The "$wccpRedirectList" represents the redirect extended ACLand the "$wccpGroupList" represents the wccp server extended ACL.

Those were both entered via the drop down box as "insert-->insert policy object-->Extended ACL Object"

The "@wccpPassword" represents the secret password. Entered via drop down box as "insert-->Insert Secret Key". Add an object from the FlexConfig text object pre-defined as "wccpPassword" and enter the real password.

It should look like this from the FTD device command line. the command line puts in the real ACL names.

wccp 80 redirect-list "Real ACL Name for Redirect" group-list "Real ACL Name for Servers" password *****
wccp interface inside 80 redirect in

I hope this helps someone, because I couldn't find anything online either.

Re: WCCP Redirection on Firepower FTD 2110

nagarjunabezawada1411 — Fri, 23 Feb 2018 00:28:22 GMT

Hi,

Yes, I had configured the WCCP redirection on FTD 2100's using FMC in both transparent and non transparent modes. Just make sure one thing in any scenario, both web users and client(proxy server) have to be behind the same interface but not necessarily in the same network. rest of the wccp configuration on FTD is similar to ASA but using flexconfig.

Re: WCCP Redirection on Firepower FTD 2110

Alex Garcia — Wed, 24 Apr 2019 19:08:41 GMT

I had the same problem. No enough documentation available online but here is what I did with a couple of 2130s.

I used the template and modified it with some information.

#set( $service = "web-cache")
#if( $isServiceIdentifier == "true") <--Changed this object from false to true
#set( $service = "$serviceIdentifier") <- Change this value to 90 o 91 depends of what port you need to filter 80 or 443
#end
#set ( $wccpCli = "wccp")
#set ( $wccpCli = "$wccpCli $service")
####wccpGroupList is place-holder for extended ACL.
####Replace wccpGroupList with extended ACL defined in FMC by inserting policy-object of type extended ACL.
#if( $wsas )
#set( $wccpCli = "$wccpCli group-list $wsas1") <- This is the ACL with the WSA IP running WCCP
#end
####wccpRedirectList is place-holder for extended ACL.
####Replace wccpRedirectList with extended ACL defined in FMC by inserting policy-object of type extended ACL.
#if( $Redirect_List )
#set( $wccpCli = "$wccpCli redirect-list $Redirect_List1") <-- This is the ACL with the redirection policies.
#end

$wccpCli

#### Assiging wccp onto interface
#foreach( $inside1 in $inside2) <- updated this inside interface in inside zone
wccp interface inside 90 redirect in <- This is clear text using the service ID you defined above (do not insert, just type it).
#end

Re: WCCP Redirection on Firepower FTD 2110

jamestomassoni — Tue, 14 May 2019 00:32:49 GMT

Have any of you use WCCP on 6.3.0 release. We have 6.3.0 deployed with WCCP configuration but it is not working. I can see the config in the FTD when using the show commands but it is not sending any traffic to the WCCP appliance.

Re: WCCP Redirection on Firepower FTD 2110

Alex Garcia — Wed, 15 May 2019 01:25:59 GMT

Hi James,

The configuration I posted few days ago is running in a FTD2130 with FXOS 2.4 and FTD 6.3.0.2. It is working like a champ.

Re: WCCP Redirection on Firepower FTD 2110

Gavin Lodge — Thu, 13 Jun 2019 10:51:59 GMT

Hi Alex

I have 2 virtual WSAs for redundancy, both running in transparent mode. We currently have our ASAs using one as a primary and the other as a secondary(not forwarding unless the primary dies). Do you know what the template would look like to accommodate two WSA?

Current config
wccp 90 redirect-list wccp-hosts group-list proxy01 password *****
wccp 91 redirect-list wccp-hosts group-list proxy02 password *****
wccp interface INSIDE 90 redirect in
wccp interface INSIDE 91 redirect in

New config
Would I need to use two entries for the service identifier???
#set ( $service = "$90")
#set ( $service = "$91")

Would I use two lines and reference two separate ACLs???
#set( $wccpCli = "$wccpCli group-list $proxy01")
#set( $wccpCli = "$wccpCli group-list $proxy02")

Would I use two lines for each redirection, one per service identifier???
wccp interface $INSIDE $90 redirect in
wccp interface $INSIDE $91 redirect in

Re: WCCP Redirection on Firepower FTD 2110

tahscolony — Mon, 21 Apr 2025 17:06:32 GMT

I am going nutz trying to get mine working. If I have the proxy coded in the browser, it works just fine, but without it, I get no where. According to https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-management-center-virtual/222849-configure-and-troubleshoot-wccp-on-ftd-u.html The configuration is to have the proxy on a DMZ interface.

I have two established WCCP tunnels, port 80 Web0Cache, and port 443 HTTPS. Both show traffic redirected, but never hits the proxy. Using a Ironport WSA for this.

Global WCCP information:
Router information:
Router Identifier: 192.168.186.254
Protocol Version: 2.0

Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 492
Redirect access-list: Redirect-HTTP
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: Monpss-Iport-02
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

Service Identifier: 70
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 7815
Redirect access-list: Redirect-HTTPS
Total Connections Denied Redirect: 0
Total Packets Unassigned: 5
Group access-list: Monpss-Iport-02
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

I don't know what I can run to follow the packets, but I know they hit the WCCP and from there go??? I have packet captures going and never see the IP from the workstation anywhere on the Proxy interface.