https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643310#M194700 <P>Thanks - could you clarify this a bit more ?</P><P>At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.</P><P>My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.</P><P>&nbsp;</P><P>Thanks<BR /><BR />Ed</P> Mon, 27 Apr 2015 14:51:46 GMT edw 2015-04-27T14:51:46Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643305#M194695 <P>Hi,</P><P>&nbsp;</P><P>I've set-up WCCP which has been working great. However I have found out that when the proxy is offline that traffic is being forward out of the appliance regardless. What I want is my traffic to be filtered by the proxy and if the proxy is offline no traffic is passed ? Is this possible ?</P><P>&nbsp;</P><P>Thanks</P><P><BR />Ed</P> Tue, 26 Mar 2019 00:55:42 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643305#M194695 edw 2019-03-26T00:55:42Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643306#M194696 <P>Hi,</P><P>Not available currently.</P><P>This is the enhancement:- CSCtl20957 and will hopefully be integrated in future.</P><P>https://tools.cisco.com/bugsearch/bug/CSCtl20957/?reffering_site=dumpcr</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Fri, 24 Apr 2015 05:06:57 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643306#M194696 Vibhor Amrodia 2015-04-24T05:06:57Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643307#M194697 <P>Thanks - unfortunately I don't have access to that bug.</P><P>&nbsp;</P><P>What do users do at present to deal with this, just let unfiltered traffic through ?</P><P>&nbsp;</P><P>Thanks</P><P><BR />Ed</P> Fri, 24 Apr 2015 14:34:12 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643307#M194697 edw 2015-04-24T14:34:12Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643308#M194698 <P>Hi,</P><P>If you want , i can provide a Workaround for this as well.</P><P>You can create an outbound ACL on the Outside interface allowing only the WCCP services for the Source as WCCP server IP and denying the rest of the WCCP services traffic.</P><P>Also at the end , put a permit ip any any.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Fri, 24 Apr 2015 18:07:39 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643308#M194698 Vibhor Amrodia 2015-04-24T18:07:39Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643309#M194699 <P>Thanks - could you clarify this a bit more ?</P><P>At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.</P><P>My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.</P><P>&nbsp;</P><P>Thanks<BR /><BR />Ed</P> Mon, 27 Apr 2015 14:50:20 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643309#M194699 edw 2015-04-27T14:50:20Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643310#M194700 <P>Thanks - could you clarify this a bit more ?</P><P>At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.</P><P>My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.</P><P>&nbsp;</P><P>Thanks<BR /><BR />Ed</P> Mon, 27 Apr 2015 14:51:46 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643310#M194700 edw 2015-04-27T14:51:46Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643311#M194701 <P>Thanks - could you clarify this a bit more ?</P><P>At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.</P><P>My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.</P><P>&nbsp;</P><P>Thanks<BR /><BR />Ed</P> Mon, 27 Apr 2015 14:54:13 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643311#M194701 edw 2015-04-27T14:54:13Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643312#M194702 <P>Hi,</P><P>I think the ACL you are pointing at is the ACL on the Inside interface.</P><P>I was recommending to put an acl on the Outside interface in the OUT direction and only allow the traffic out only from the source which is the IP address of the proxy.</P><P>So something like this:-</P><P>access-list wccp-fail-close permit tcp host &lt;wccp server ip&gt; any eq 443</P><P>access-list wccp-fail-close permit tcp host &lt;wccp server ip&gt; any eq 80</P><P>access-list wccp-fail-close deny tcp any any eq 443</P><P>access-list wccp-fail-close deny tcp any any eq 80</P><P>access-list wccp-fail-close permit ip any any</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Tue, 28 Apr 2015 04:17:28 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643312#M194702 Vibhor Amrodia 2015-04-28T04:17:28Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643313#M194703 <P>Thanks - sorry about the duplicate replies, my browser went nuts.</P><P>&nbsp;</P><P>My understanding for this is that I can only have one ACL per interface ? I currently have inbound ACLs on three interfaces. One per interface. Would I have to change my outside interface (internet facing) to have a ACL which is in the OUT direction and lose my IN direction ACL ?</P><P>Thanks</P><P><BR />Ed</P> Tue, 28 Apr 2015 13:12:47 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643313#M194703 edw 2015-04-28T13:12:47Z https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643314#M194704 <P>Hi,</P><P>This Outbound ACL that you are referring to is on which interface ? Inside ? Correct ?</P><P>I was recommending you an ACL in OUT direction on the outside interface where the connection will be sourced from the proxy IP to the internet.</P><P>If you have an ACL on the inside for the Outbound traffic , that would not affect the traffic or this workaround.</P><P>You can check the order in which the ACL are used using Packet Tracer:-</P><P>https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Tue, 28 Apr 2015 13:40:03 GMT https://community.cisco.com/t5/network-security/wccp-failure-packets-forwarded/m-p/2643314#M194704 Vibhor Amrodia 2015-04-28T13:40:03Z