https://community.cisco.com/t5/network-security/wccp-re-positioning-on-a-network/m-p/1313431#M786740 <P>We need some help in a discussion we are having about wccp and where it needs to be to work right. Also note that I have never done WCCP on the ASA yet so not sure if this will work. Here is the concept. </P><P></P><P>I-----RTR------ASA------CVPN3030</P><P> --- DMZ</P><P> --- DMZ2</P><P> --- Inside</P><P>Above is our current layout. Wccp resides internally on the inside interface on a router just after the ASA inside interface. It works fine for users on the inside network but misses the VPN users terminated on the ASA /3030 outside interface. Thus the problem at hand. WCCP misses these users because they validate the tunnel and then just go right out to the internet. </P><P>SO here are the solutions we have come up with,so far. Nothing in stone.</P><P>I----RTR---SW---ASA--- CVPN3030</P><P>This is the classical way that I can think of that will work placing the wccp at the new switch with an outside interface. This places the wccp server in harms way to be hacked, but will catch the VPN users. There is one other option but not sure it will work and this is where I need help.</P><P> I---RTR---ASA---MRG </P><P>Could I do the url redirect to this port on the firewall, catch the vpn users, and the users inside too? and then people can go out to the internet? This will semi protect the wccp server too right? Thanks.</P><P></P><P></P> Mon, 11 Mar 2019 16:32:09 GMT st9n6ow77 2019-03-11T16:32:09Z https://community.cisco.com/t5/network-security/wccp-re-positioning-on-a-network/m-p/1313431#M786740 <P>We need some help in a discussion we are having about wccp and where it needs to be to work right. Also note that I have never done WCCP on the ASA yet so not sure if this will work. Here is the concept. </P><P></P><P>I-----RTR------ASA------CVPN3030</P><P> --- DMZ</P><P> --- DMZ2</P><P> --- Inside</P><P>Above is our current layout. Wccp resides internally on the inside interface on a router just after the ASA inside interface. It works fine for users on the inside network but misses the VPN users terminated on the ASA /3030 outside interface. Thus the problem at hand. WCCP misses these users because they validate the tunnel and then just go right out to the internet. </P><P>SO here are the solutions we have come up with,so far. Nothing in stone.</P><P>I----RTR---SW---ASA--- CVPN3030</P><P>This is the classical way that I can think of that will work placing the wccp at the new switch with an outside interface. This places the wccp server in harms way to be hacked, but will catch the VPN users. There is one other option but not sure it will work and this is where I need help.</P><P> I---RTR---ASA---MRG </P><P>Could I do the url redirect to this port on the firewall, catch the vpn users, and the users inside too? and then people can go out to the internet? This will semi protect the wccp server too right? Thanks.</P><P></P><P></P> Mon, 11 Mar 2019 16:32:09 GMT https://community.cisco.com/t5/network-security/wccp-re-positioning-on-a-network/m-p/1313431#M786740 st9n6ow77 2019-03-11T16:32:09Z https://community.cisco.com/t5/network-security/wccp-re-positioning-on-a-network/m-p/1313432#M786766 <HTML><HEAD></HEAD><BODY><P>You can configure wccp on the ASA and this WILL cover the users who U-Turn off the ASA and go out to the internet in addition to all the users who are already on the inside.</P><P></P><P>WCCP---(inside)ASA(ouside)---Internet--VPN_clients.</P><P></P><P>Here is the documentation link to configure WCCP on the ASA.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094628" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094628</A></P></BODY></HTML> Wed, 28 Oct 2009 03:56:52 GMT https://community.cisco.com/t5/network-security/wccp-re-positioning-on-a-network/m-p/1313432#M786766 Kureli Sankar 2009-10-28T03:56:52Z