https://community.cisco.com/t5/network-security/wccp-questions/m-p/3180163#M1066491 <P>Francesco,</P><P>&nbsp;</P><P>Thanks so much for the reply. So to clarify, the WCCP server must be on the same subnet as the Layer 3 interface of the ASA that is doing the redirection? If the WCCP server resides on a different subnet reachable by a different interface of the ASA it wont work? Even if there are valid routes in the ASA to reach it?&nbsp;</P> Tue, 05 Sep 2017 14:59:03 GMT Craddockc 2017-09-05T14:59:03Z https://community.cisco.com/t5/network-security/wccp-questions/m-p/3179027#M1066487 <P>Community,</P><P>&nbsp;</P><P>Were trying to roll out WCCP and I had some questions that I could not find the answers to online. After reading the following article, although helpful, I did have some questions.</P><P>&nbsp;</P><P><A href="https://supportforums.cisco.com/t5/security-documents/asa-wccp-step-by-step-configuration/ta-p/3126636#How_wccp_works" target="_blank">https://supportforums.cisco.com/t5/security-documents/asa-wccp-step-by-step-configuration/ta-p/3126636#How_wccp_works</A></P><P>&nbsp;</P><P>1) The article states the following:</P><P>&nbsp;</P><P>"The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance."</P><P>&nbsp;</P><P><SPAN class="content">does this mean that the WCCP Server and the clients have to be on the same subnet as the ASA interface doing the redirecting? Or does this mean that only the WCCP server has to be on the same subnet as the interface doing the redirecting? In this depiction, the clients, the interface and the WCCP server are all on the same subnet, but I dont have a flat subnet like this. I have multiple vlans with multiple user subnets who all need to be redirected to the same WCCP server that may exist on a different subnet.</SPAN></P><P>&nbsp;</P><P><SPAN class="content">2) The paragraph also states that the WCCP Server must have the ability to reach the clients directly without having to traverse the ASA. Does this mean that once the traffic is redirected to the WCCP Server that the return traffic from the WCCP server cannot pass through the ASA again otherwise the flow will fail?</SPAN></P><P>&nbsp;</P><P><SPAN class="content">My client networks get defaulted routed via vlan 125 (shown below) to the Inside Interface of the ASA for default route processing.</SPAN></P><P>&nbsp;</P><P><SPAN class="content">Client Networks:</SPAN></P><P><SPAN class="content">10.132.129.0/24 (vlan 132)</SPAN></P><P><SPAN class="content">10.134.129.0/24 (vlan 134)</SPAN></P><P><SPAN class="content">10.140.129.0.24 (vlan 140)</SPAN></P><P><SPAN class="content">10.144.129.0/24 (vlan 144)</SPAN></P><P>&nbsp;</P><P><SPAN class="content">0.0.0.0 0.0.0.0 --&gt; 10.125.0.1 (Inside Interface of the ASA)</SPAN></P><P>&nbsp;</P><P><SPAN class="content">10.125.0.9 (vlan 125 interface on switch, used as transport vlan to route to firewall)</SPAN></P><P><SPAN class="content">&nbsp;</SPAN></P><P><SPAN class="content">In this case, does the wccp server have to be on the 10.125.0.0/24 network? And does the upstream switch connecting to the firewall have to be able to route the traffic back from the wccp server to the clients without going through the inside interface of the firewall again?&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN class="content">Thanks for any help you can provide.&nbsp;</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN class="content">&nbsp;</SPAN></P> Fri, 21 Feb 2020 14:15:58 GMT https://community.cisco.com/t5/network-security/wccp-questions/m-p/3179027#M1066487 Craddockc 2020-02-21T14:15:58Z https://community.cisco.com/t5/network-security/wccp-questions/m-p/3179211#M1066489 <P>Hi&nbsp;</P> <P>&nbsp;</P> <P>On asa the&nbsp;limitation is that when you redirect the traffic to wccp server the packet has to go through the same interface.&nbsp;</P> <P>If packets from your hosts arrive to your asa interface called inside, the wccp server has to be reachable from the inside interface otherwise it won't work.&nbsp;</P> <P>It's not necessary that hosts and wccp server reside to the same subnet.&nbsp;</P> <P>&nbsp;</P> <P>The direct communication between wccp server and hosts is necessary because when a host tries to reach a website, the traffic is redirected to wccp and wccp server initiate the communication to outside with its own ip. When the internet server replies to wccp, the information is cached and forwarded directly to the host without passing&nbsp;through asa. If you don't have a direct communication it won't work.&nbsp;</P> <P>&nbsp;</P> <P>Thanks&nbsp;</P> <P>&nbsp;</P> <P>PS: Please don't forget to rate and select as validated answer if this answered your question</P> Sat, 02 Sep 2017 02:59:53 GMT https://community.cisco.com/t5/network-security/wccp-questions/m-p/3179211#M1066489 Francesco Molino 2017-09-02T02:59:53Z https://community.cisco.com/t5/network-security/wccp-questions/m-p/3180163#M1066491 <P>Francesco,</P><P>&nbsp;</P><P>Thanks so much for the reply. So to clarify, the WCCP server must be on the same subnet as the Layer 3 interface of the ASA that is doing the redirection? If the WCCP server resides on a different subnet reachable by a different interface of the ASA it wont work? Even if there are valid routes in the ASA to reach it?&nbsp;</P> Tue, 05 Sep 2017 14:59:03 GMT https://community.cisco.com/t5/network-security/wccp-questions/m-p/3180163#M1066491 Craddockc 2017-09-05T14:59:03Z https://community.cisco.com/t5/network-security/wccp-questions/m-p/3180164#M1066492 <P>Hi</P> <P>&nbsp;</P> <P>It has to be on the <U><STRONG>same interface YES but not matter which subnet</STRONG></U>.</P> <P>If the server is reachable from another interface it won't work.</P> <P>&nbsp;</P> <P>You can have let's say, your inside subnet (interconnection from ASA to your core switch) and beside the switch you will have multiple vlans.. The server WCCP can reside on any on those subnets (vlans).</P> Tue, 05 Sep 2017 15:02:13 GMT https://community.cisco.com/t5/network-security/wccp-questions/m-p/3180164#M1066492 Francesco Molino 2017-09-05T15:02:13Z https://community.cisco.com/t5/network-security/wccp-questions/m-p/3180198#M1066493 <P>Francesco,</P><P>&nbsp;</P><P>Got it! So the traffic destined to the WCCP server MUST traverse the interface thats doing the redirecting to get there. Youre right, this situation doesnt always include the WCCP server being on the same vlan as the interface being used to redirect traffic but the route to the WCCP server must be taken over the same interface. Thanks again for your responses!&nbsp;</P> Tue, 05 Sep 2017 16:21:43 GMT https://community.cisco.com/t5/network-security/wccp-questions/m-p/3180198#M1066493 Craddockc 2017-09-05T16:21:43Z https://community.cisco.com/t5/network-security/wccp-questions/m-p/3180338#M1066494 You're welcome Tue, 05 Sep 2017 21:51:12 GMT https://community.cisco.com/t5/network-security/wccp-questions/m-p/3180338#M1066494 Francesco Molino 2017-09-05T21:51:12Z