Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3945
Views
0
Helpful
3
Replies

ASA WCCP Configuration with Brracuda Web Filter

support
Level 1
Level 1

‎11-01-2012 09:36 AM - edited ‎03-11-2019 05:17 PM

I am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface.  ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40   All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda. 

Below are the respecive bits of my ASA config

interface GigabitEthernet0/0

description Management

speed 1000

duplex full

nameif Inside

security-level 100

ip address 172.21.20.1 255.255.255.0 standby 172.21.20.2

!

interface GigabitEthernet0/1

speed 1000

duplex full

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.20

description  Data

vlan 20

nameif data

security-level 50

ip address 172.16.18.1 255.255.255.0 standby 172.16.18.2

access-list wccp-servers permit ip host 172.16.18.40 any

access-list wccp-traffic permit ip 172.16.18.0 255.255.255.0 any

wccp web-cache redirect-list wccp-traffic group-list wccp-servers

wccp interface data web-cache redirect in

sh wccp

Global WCCP information:
Router information:
Router Identifier: 172.21.20.1
Protocol Version: 2.0

Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 602
Redirect access-list: wccp-traffic
Total Connections Denied Redirect: 0
Total Packets Unassigned: 115
Group access-list: wccp-servers
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

WCCP interface configuration:

GigabitEthernet0/1.20

Output services: 0

Input services: 1

Mcast services: 0

Exclude In: FALSE

I suspect my issue is that the ASA is generating a Router Identifier of 172.21.20.1 which is my inside network and the barracuda cannot communicate with it.  Any ideas as to how I can get this working ?

Labels:
Preview file
20 KB
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-01-2012 10:46 AM

Hello Phillipe,

Yes, You nail it down.

With this Setup the asa is going to generate a Router ID and Just like OSPF is going to use the higher Ip . In this scenarios should use the interface where the Iron port is. But sometimes the higher is the outside interface ( public one) so we are going to have an issue and there is no solution . The Iron Ports servers can handle this. Other than those ones cannot.

Just like OSPF is going to use the higher Ip as the Router Identifier so when he SENDS the packets to the server is going to send it with the wrong ip

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

support
Level 1
Level 1
In response to Julio Carvajal

‎11-01-2012 11:19 AM

Thats what I feared, there is no way for force the router ID on the ASA ?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to support

‎11-01-2012 11:37 AM

Hello Phillippe,

Exactly , no way, Sorry to inform you that,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card