cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1381
Views
0
Helpful
9
Replies

WCCP on ASA

ankit_parikh
Beginner
Beginner

Hello,

I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:

Eth 0/0 : Outside (to internet)

Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)

Eth 0/1.211 : Vlan211 (20.21.10.0/24)

Eth 0/1.212 : Vlan212 (20.21.20.0/24)

Eth 0/1.220 : Vlan220 (20.22.0.0/16)

Eth 0/2 : WAAS (20.21.30.0/24)

I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.

I get this error message:

3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)

How can I fix this?

My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:

wccp 61 redirect-list WCCP_To_LAN

wccp 62 redirect-list WCCP_To_WAN

wccp interface outside 62 redirect in

wccp interface LAN 61 redirect in

access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0

access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any

I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?

Thanks

Ankit

9 Replies 9

mark.duffy
Beginner
Beginner

Hi

I did a WAAS deployment last year, the edge routers however were 6500s but the theory should be the same. After many discussions with Cisco SE's I was advised to used redirect lists with WCCP to only match the traffic from selected host subnets going to specific servers, this way you could be sure you were only matching the traffic you wanted, in our case we were trying to prove CIFS optimisation. Because your matching from a host subnet to a server and vice versa it was easier.

ip wccp 61 redirect-list Permit_WCCP_interception

ip wccp 62 redirect-list Permit_WCCP_interception

!

!

interface GigabitEthernet1/10

description MPLS Link

ip address 10.1.1.254 255.255.255.252

ip wccp 61 redirect in

ip wccp 62 redirect out

speed 100

duplex full

mls qos trust dscp

!

interface Vlan100

description WAE_vlan

ip address 192.168.1.255 255.255.255.0

ip wccp redirect exclude in

!

ip access-list extended Permit_WCCP_interception

permit tcp 192.168.100.0 0.0.0.255 host 192.168.10.27

permit tcp host 192.168.10.27 192.168.100.0 0.0.0.255

deny ip any any

Here you can see we had a redirect in and redirect out on the link into the MPLS cloud, and a redirect exlude in on the VLAN with the WAE in at the remote site. This was essentially replicated at both ends, with the topology being a pair of 6500s at the core and a single 6500 at the edge. The server VLANs in the core have no redirects as its all picked up inbound and outbound on the WAN link, likewise at the remote end.

This probably goes against everything in the documentation, but after lots of pain it worked! With this configuration though you have to identify all traffic flows and for all protocols you want to configure.

Hope its of some help,

Mark

Hello Mark,

Thanks for your response. Your config is correct but ASA doesn't provide many options. For instance there is 'redirect out' and 'exclude in'. So the options are really limited.

WCCP is easy to implement on a router but we are trying to implement it on a ASA as an alternative.

Ankit

ravi_mishra
Cisco Employee
Cisco Employee