topic ASA WCCP From Multiple Interfaces in Network Security

ASA WCCP From Multiple Interfaces

rmeans — Mon, 11 Mar 2019 19:10:34 GMT

I use WCCP to interact with my IronPort web filter. Currently my WSA (web filter) sits on my inside network. WCCP is configured to redirect inside traffic to the WSA off of the inside interface. It is my understanding that my ASA (8.2) can not redirect web traffic coming into the DMZ interface to the WCCP device (WSA) off of the inside interface. I have been told by a sales rep that ASA 8.3 now supports this. I have not been able to find any Cisco documentation.

Anyone familiar or have tested this.

Thanks

Re: ASA WCCP From Multiple Interfaces

praprama — Wed, 17 Nov 2010 16:11:31 GMT

Hi,

The documentation can be found below:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/wccp.html#wp1113990

The behavior seems to be still the same.

Cheers,

Prapanch

Re: ASA WCCP From Multiple Interfaces

jan.nielsen — Wed, 17 Nov 2010 17:21:39 GMT

As far as i know the problem, is not the ASA not being able to send the traffic to the Ironport, but the fact that most people are using both L2 and L3 spoofing on the Ironport. When i had this issue, i sniffed it, and it looks like the source mac/ip is coming from the interface where the Ironport is, which the ASA of course won't allow. My solution was to only use wccp for traffic coming from the same interface as the Ironport is on in the ASA.

Re: ASA WCCP From Multiple Interfaces

Panos Kampanakis — Wed, 17 Nov 2010 21:21:47 GMT

To answer your question, even in 8.3 "WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance.".

In other words, the WCCP engine talks directly to the host computer and that is why it would need to be L2 adjacent.

I hope it helps.

ASA WCCP From Multiple Interfaces

karlchatterton — Mon, 28 Jan 2013 15:50:50 GMT

Hi Guys,

I got around this issue by configuring my Ironport interface as a dot1q trunk and giving it a L3 interface in each vlan. I then can re-direct on each ASA interface.

Thanks

ASA WCCP From Multiple Interfaces

scottyd — Wed, 06 Mar 2013 12:16:45 GMT

Karl,

Can I ask how did you setup multiple Group Lists using the web-cache service. I try to add another web-cache service group and it will not allow me as web-cache is in use on the first interface.

The error I get is "The service group web-cache already exisits"

I presume that I need to set up a second group with the additional IP address of the Ironports, since it needs to be layer two adjacent to the client.

Regards,

Scott

ASA WCCP From Multiple Interfaces

karlchatterton — Mon, 11 Mar 2013 11:45:22 GMT

Hi Scott,

I configured the WCCP on the ASA as follows.

access-list wccp-traffic extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list wccp-traffic extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list wccp-traffic extended permit tcp 192.168.3.0 255.255.255.0 any eq www

wccp web-cache redirect-list wccp-traffic group-list ironport

wccp interface VLAN-1 web-cache redirect in
wccp interface VLAN-2 web-cache redirect in
wccp interface VLAN-3 web-cache redirect in

The WCCP web-cache is enabled on each interface and the ironport is configured as a do1q trunk with an IP interface in each vlan.

Hope this helps.

Thanks

ASA WCCP From Multiple Interfaces

scottyd — Mon, 11 Mar 2013 20:12:00 GMT

Thanks Karl,

How do you have your routing set up on the Iron Port on each interface. Do you just have one with a default GW and it uses that for both WCCP interfaces to driect traffic? Or do you use a seperate interface?

Regards,

Scott

Regards,

Scott

ASA WCCP From Multiple Interfaces

karlchatterton — Tue, 12 Mar 2013 09:06:09 GMT

Scott,

I have one default route on my management interface. In my case this is vlan2. You can only manage the ironport on one interface and this needs to be untagged on your trunk port to the switch. So in my case I made vlan 2 the native vlan for the trunk to the ironport as this was the interface I wanted to use for management.

This is the same interface as I send my redirect traffic too in the access-list "ironport" above.

The Ironport effectively has 2 connected networks and one default route.

Thanks

ASA WCCP From Multiple Interfaces

scottyd — Tue, 12 Mar 2013 09:14:41 GMT

Thanks Karl,

Great, we are on track. Since you seem pretty knowlegable about this subject and I am pretty new, one more question...I see that you are only pushing HTTP through to the IronPort. We are inspecting both 80 and 443, but have come accross problems with some sites being broken by the inspection or loss of filtering of certain URLs if we just pass them through, with transparent proxy.

Do you inspect HTTPS?

Regards,

Scott

ASA WCCP From Multiple Interfaces

karlchatterton — Tue, 12 Mar 2013 09:29:15 GMT

My customer is currently testing HTTPS inspection by only redirecting for the IP address of one user. I know they were having different experiences with different browsers etc. They are only using self signed certificate on the ironport which means you get cert errors in some cases.

Sorry I'm not able to provide much more help on HTTPS inspection.

ASA WCCP From Multiple Interfaces

scottyd — Tue, 12 Mar 2013 09:49:34 GMT

Yes, we are seeing some issue also. We have deployed the cert via group policy and for the most part it is working for explicit mode. But it does seem to be a problem in transparent mode. Especially when you want to roll it out in a BYOD scenario, where you do not have control over the end device.

Thanks anyway.

Hi Karlchatterton, I don't

Herlander Stock — Fri, 23 Jan 2015 20:42:59 GMT

Hi Karlchatterton,

I don't quite undestand this point when you said that you have your ironport configured as dot1q trunk.

I have S170 using M1 for management and sending data, I don't where on the WSA configuration an option to do the trunk or dot1q. You can trunk the interface port on the switch, I have my ASA with VLANs on each IP (ex. nameif inside and wireless) those two have different IP, but when I do the second redirection and the wireless users can't surfe the web. and found this on Cisco Website "

Enabling WCCP Redirection

WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance.

On your setting does the WSA have multiple IP address? how you set it up?

thanks

Not to revive a dead post

wsladekjr — Thu, 01 Dec 2016 13:51:10 GMT

Not to revive a dead post from six years ago but this is the top result when searching for ASA, WCCP and multiple interfaces.

So here's how to configure WCCP on multiple interfaces using ASA 9.6(1), Squid 3.5.19, and RHEL 6 with everything persisting after reboot. You only need one GRE tunnel between Squid and the ASA, however the Squid box needs to have a NIC on each VLAN as others have indicated.

One key note - the ASA uses it's highest IP for the router ID and that cannot be changed. To prevent potential issues and confusion I created a dummy wccp interface but in most cases you can probably just use the default highest.

Network Info
ASA inside: 192.168.1.1
ASA dmz: 192.168.2.1
ASA wccp: 192.168.99.1 ("dummy" iface... not really used)
Squid inside: 192.168.1.2
Squid dmz: 192.168.2.2

ASA Config

access-list wccp-servers extended permit ip host 192.168.1.2 any
access-list wccp-traffic extended deny ip host 192.168.1.2 any
access-list wccp-traffic extended deny ip host 192.168.2.2 any
access-list wccp-traffic extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list wccp-traffic extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list wccp-traffic extended deny ip any any
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in
wccp interface dmz web-cache redirect in

Squid
/etc/squid/squid.conf

wccp2_router 192.168.1.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

iptables
/etc/sysconfig/iptables on RHEL based systems

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
COMMIT

RHEL WCCP/GRE tunnel config
/etc/sysconfig/network-scripts/ifcfg-wccp0 (again - RHEL based systems)

DEVICE="wccp0"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="GRE"
LOCAL_DEVICE="bond0"
PEER_OUTER_IPADDR="192.168.99.1"
PEER_INNER_IPADDR="192.168.99.1"
MY_OUTER_IPADDR="192.168.1.2"
MY_INNER_IPADDR="192.168.1.2"
USERCTL="no"
IPV6INIT="no"
IPV6_AUTOCONF="no"

Kernel params
/etc/sysctl.conf (RHEL!!!)

net.ipv4.ip_forward = 1
net.ipv4.conf.bond0.rp_filter = 0
net.ipv4.conf.bond1.rp_filter = 0
net.ipv4.conf.wccp0.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0

Reboot for kernel changes to take effect (this can also be done via the /proc filesystem and no reboot, if necessary).

Re: ASA WCCP From Multiple Interfaces

Tom Foucha — Wed, 06 Sep 2017 03:03:22 GMT

Unless something has changed in the last year or so and it is possible, you could configure the WSA to use 802.1q VLAN interfaces and they would synch with WCCP on the ASA off the physical inside interface and sub-interfaces however there was an issue where the physical interface on the ASA would grab all available buckets and never redirect traffic to the sub-interfaces. If you've made this work I'd certainly love to see the configuration as we ended up working around this issue using PBR on the later releases of ASA.

Re: ASA WCCP From Multiple Interfaces

alextomko — Mon, 19 Aug 2019 19:43:06 GMT

I cannot get this working either, the first working service ID grabs all the buckets and the second service ID that registers will not get a hash allotment nor any buckets. Can you explain what you did with PBR to to get this to work? I have multiple DMZ's with Cisco WSA tagged to each DMZ that I want to redirect for but can only get one wccp service ID per firewall context to work.

Re: ASA WCCP From Multiple Interfaces

alextomko — Mon, 19 Aug 2019 19:43:40 GMT

cannot get this working either, the first working service ID grabs all the buckets and the second service ID that registers will not get a hash allotment nor any buckets. Can you explain what you did with PBR to to get this to work? I have multiple DMZ's with Cisco WSA tagged to each DMZ that I want to redirect for but can only get one wccp service ID per firewall context to work.

Re: ASA WCCP From Multiple Interfaces

Tom Foucha — Wed, 21 Aug 2019 17:42:24 GMT

What you are seeing is correct the first bucket grabs everything and doesn't allow traffic to be distributed to other service ID's. Using PBR to overcome this is what we came up with for this type of deployment.

Re: ASA WCCP From Multiple Interfaces

alextomko — Wed, 21 Aug 2019 17:58:20 GMT

This looks like a good solution for context a, then now my context b and context c for example which are already working with wccp from a single interface. I suppose I also have to do the same setup on the other contexts now using PBR and cannot use the wccp from anywhere else. So for pointing the PBR to the WSA now, can the route-map be pointed back out the Inside interface, or the same Interface where the traffic is coming from, as in the example you show, you have it on a separate interface of DMZ for the WSA's proxy IP.