https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876792#M973322 <P>i want to configure a WCCP in my core router and I have an ASA firewall between my Router and my cache engines and it's preventing the WCCP traffice to go though what is the solutions for this ,,, thanks for your helping </P> Mon, 11 Mar 2019 11:28:18 GMT ralwarrag 2019-03-11T11:28:18Z https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876792#M973322 <P>i want to configure a WCCP in my core router and I have an ASA firewall between my Router and my cache engines and it's preventing the WCCP traffice to go though what is the solutions for this ,,, thanks for your helping </P> Mon, 11 Mar 2019 11:28:18 GMT https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876792#M973322 ralwarrag 2019-03-11T11:28:18Z https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876793#M973323 <HTML><HEAD></HEAD><BODY><P> You can't have a WCCP-enabled router and a Cache Engine be separated by a firewall. The firewall handles only packet traffic toward the origin web server and does not handle packet traffic sent to the client by the Cache Engine on behalf of the server.</P><P></P><P>Please check the below URL:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/app_ntwk_services/waas/acns/v50/configuration/local/guide/14587apB.html" target="_blank">http://www.cisco.com/en/US/docs/app_ntwk_services/waas/acns/v50/configuration/local/guide/14587apB.html</A></P><P></P><P>Regards,</P><P>Yassin</P><P></P><P></P></BODY></HTML> Wed, 24 Oct 2007 06:41:49 GMT https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876793#M973323 mahmoudyassin98 2007-10-24T06:41:49Z https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876794#M973324 <HTML><HEAD></HEAD><BODY><P>I also have the same issue, Client/WCCP router located on Pix inside and Bluecoat Proxy located on Pix outside, the Bluecoat proxy then connects to the Internet via a Checkpoint fw.</P><P></P><P>TAC have confirmed that this is a bug: CSCsk84801</P><P></P><P>When the Pix receives the WCCP/GRE packet from the WCCP router, it is stripping the GRE header and sending the http packet natively to the outside interface, and not forwarding the GRE packet to the Bluecoat proxy.</P><P></P><P>The WCCP/GRE behaviour has been confirmed as a definite bug and will be fixed in the next 7.2.3 interim release.</P><P></P><P>However, having seen Yassin's above link I have asked TAC to confirm if this scenario is supported. I can't see why a firewall can't succesfully pass WCCP packets.</P><P></P><P></P></BODY></HTML> Wed, 24 Oct 2007 14:33:56 GMT https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876794#M973324 russ 2007-10-24T14:33:56Z https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876795#M973325 <HTML><HEAD></HEAD><BODY><P>Thanks alot for your this information </P></BODY></HTML> Wed, 24 Oct 2007 18:57:00 GMT https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876795#M973325 ralwarrag 2007-10-24T18:57:00Z https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876796#M973326 <HTML><HEAD></HEAD><BODY><P>Here is an explanation from Cisco TAC regarding the issues of passing WCCP through a firewall:</P><P></P><P>I have confirmed with DE how wccp works. What happens is that the TCP session setup packets from from wccp router to the cache engine are encaps in GRE. The return packet (syn-ack) is not encapsulated in GRE. It will therefore be dropped by the firewall as we have not see the outgoing SYN (bacause it was GRE encaps'd). In order to permit asynchronous tcp connections through the pix, you will need to configure a static nailed statement. eg:</P><P></P><P>static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 norandomseq nailed</P><P></P><P>This wll cause the traffic matching the static to bypass the normal TCP packet and inspection processing. This is not ideal, but this is the only way to get this working as your customer requires. The bug fix CSCsk84801 is obviously therefore still required.</P><P></P><P></P><P>In my case, the static rule needs to be applied from outside to inside.</P><P></P><P>The bug will be fixed in v8.0.3 and v7.2.3.8.</P><P></P><P>Hope this helps.</P></BODY></HTML> Fri, 26 Oct 2007 10:36:28 GMT https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876796#M973326 russ 2007-10-26T10:36:28Z https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876797#M973327 <HTML><HEAD></HEAD><BODY><P>Thanks alot for your usefull information <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 26 Oct 2007 12:21:02 GMT https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876797#M973327 ralwarrag 2007-10-26T12:21:02Z https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876798#M973328 <HTML><HEAD></HEAD><BODY><P>Dear Russ </P><P>i have tried it but unfortunatly it didn't work i add static statmnet</P><P></P><P>static (outsidenet,dmznet) 1.1.1.1 [ip add of the router] 2.2.2.2 [ the ip address of the bluecoat] netmask 255.255.255.255 norandomseq nailed </P><P>and thanks alot for your helping <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sat, 27 Oct 2007 06:12:48 GMT https://community.cisco.com/t5/network-security/wccp-pass-through-asa/m-p/876798#M973328 ralwarrag 2007-10-27T06:12:48Z