Showing results for 
Search instead for 
Did you mean: 




I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:

Eth 0/0 : Outside (to internet)

Eth 0/1 : Vlan1 ( (trunk port to remote office LAN)

Eth 0/1.211 : Vlan211 (

Eth 0/1.212 : Vlan212 (

Eth 0/1.220 : Vlan220 (

Eth 0/2 : WAAS (

I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.

I get this error message:

3 Feb 12 2007 17:54:05 305006 portmap translation creation failed for icmp src WAAS: dst LAN: (type 8, code 0)

How can I fix this?

My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:

wccp 61 redirect-list WCCP_To_LAN

wccp 62 redirect-list WCCP_To_WAN

wccp interface outside 62 redirect in

wccp interface LAN 61 redirect in

access-list WCCP_To_LAN extended permit ip any

access-list WCCP_To_WAN extended permit ip any

I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?



9 Replies 9



I did a WAAS deployment last year, the edge routers however were 6500s but the theory should be the same. After many discussions with Cisco SE's I was advised to used redirect lists with WCCP to only match the traffic from selected host subnets going to specific servers, this way you could be sure you were only matching the traffic you wanted, in our case we were trying to prove CIFS optimisation. Because your matching from a host subnet to a server and vice versa it was easier.

ip wccp 61 redirect-list Permit_WCCP_interception

ip wccp 62 redirect-list Permit_WCCP_interception



interface GigabitEthernet1/10

description MPLS Link

ip address

ip wccp 61 redirect in

ip wccp 62 redirect out

speed 100

duplex full

mls qos trust dscp


interface Vlan100

description WAE_vlan

ip address

ip wccp redirect exclude in


ip access-list extended Permit_WCCP_interception

permit tcp host

permit tcp host

deny ip any any

Here you can see we had a redirect in and redirect out on the link into the MPLS cloud, and a redirect exlude in on the VLAN with the WAE in at the remote site. This was essentially replicated at both ends, with the topology being a pair of 6500s at the core and a single 6500 at the edge. The server VLANs in the core have no redirects as its all picked up inbound and outbound on the WAN link, likewise at the remote end.

This probably goes against everything in the documentation, but after lots of pain it worked! With this configuration though you have to identify all traffic flows and for all protocols you want to configure.

Hope its of some help,


Hello Mark,

Thanks for your response. Your config is correct but ASA doesn't provide many options. For instance there is 'redirect out' and 'exclude in'. So the options are really limited.

WCCP is easy to implement on a router but we are trying to implement it on a ASA as an alternative.


Cisco Employee
Cisco Employee