https://community.cisco.com/t5/network-security/wccp-on-cisco-firewall/m-p/1653924#M558653 <HTML><HEAD></HEAD><BODY><P>No, that command has nothing to do with WCCP.</P><P></P><P>"same-security-traffic permit intra-interface" is to allow traffic to go in and out the same interface.</P><P>However, in your topology, you will need WCCP to transparent send the traffic to Websense.</P></BODY></HTML> Tue, 05 Apr 2011 05:03:58 GMT Jennifer Halim 2011-04-05T05:03:58Z https://community.cisco.com/t5/network-security/wccp-on-cisco-firewall/m-p/1653921#M558638 <P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; ">Hi All,</SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; ">I have configured WCCP from websense (V10K appliance) on Cisco ASA 5520 (8.2.4 code)</SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; ">My Websense interfaces are on the inside with IP 10.1.0.5 and 10.1.0.6. All the LAN users also come from the Inside interface. The users were using Proxy server (<EM>in their browsers) </EM>before the implementation of WebSense. Now to allow all the LAN users to send request to Websense interfaces we have to allow www and https from all LAN users towards any. In this case we will need to permit the full subnet like this on the inside.</SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; "> </SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; ">Access-list ACL_INSIDE permit ip 10.0.0.0 255.0.0.0 any www</SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; ">Access-list ACL_INSIDE permit ip 10.0.0.0 255.0.0.0 any https</SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; "> </SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; ">Which we don’t want to.</SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; "> </SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; ">When I did a packet trace I noticed that the ACL_Inside is evaluated first before the WCCP redirect that’s why permit in ACL_INSIDE is required. Is there any way we can evaluate WCCP redirect before inside ACL ? Packet tracer output is attached herewith.</SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; ">OR is it the default behavior of firewall and i need to accomodate thorough some ACL tweek.</SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 0pt;"><SPAN style="color: #0033cc; font-size: 12pt; font-family: Calibri; "> </SPAN></P> Mon, 11 Mar 2019 20:16:18 GMT https://community.cisco.com/t5/network-security/wccp-on-cisco-firewall/m-p/1653921#M558638 munawar.zeeshan 2019-03-11T20:16:18Z https://community.cisco.com/t5/network-security/wccp-on-cisco-firewall/m-p/1653922#M558646 <HTML><HEAD></HEAD><BODY><P>Yes, interface ACL will always be applied first and WCCP will come after once traffic has been permitted through the interface ACL. That is the default behaviour of the firewall as it will not allow WCCP to even happen if traffic is being denied on interface level ACL.</P><P></P><P>If you don't want access for some users at all towards the Internet, then you can configure deny above the permit ACL that you already have for the specific user IP Address.</P></BODY></HTML> Mon, 04 Apr 2011 09:16:19 GMT https://community.cisco.com/t5/network-security/wccp-on-cisco-firewall/m-p/1653922#M558646 Jennifer Halim 2011-04-04T09:16:19Z https://community.cisco.com/t5/network-security/wccp-on-cisco-firewall/m-p/1653923#M558650 <HTML><HEAD></HEAD><BODY><P>Will permitting Intra-interface same security level traffic might help in this case ?</P></BODY></HTML> Mon, 04 Apr 2011 12:56:52 GMT https://community.cisco.com/t5/network-security/wccp-on-cisco-firewall/m-p/1653923#M558650 munawar.zeeshan 2011-04-04T12:56:52Z https://community.cisco.com/t5/network-security/wccp-on-cisco-firewall/m-p/1653924#M558653 <HTML><HEAD></HEAD><BODY><P>No, that command has nothing to do with WCCP.</P><P></P><P>"same-security-traffic permit intra-interface" is to allow traffic to go in and out the same interface.</P><P>However, in your topology, you will need WCCP to transparent send the traffic to Websense.</P></BODY></HTML> Tue, 05 Apr 2011 05:03:58 GMT https://community.cisco.com/t5/network-security/wccp-on-cisco-firewall/m-p/1653924#M558653 Jennifer Halim 2011-04-05T05:03:58Z