11-01-2012 09:36 AM - edited 03-11-2019 05:17 PM
I am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface. ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40 All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda.
Below are the respecive bits of my ASA config
interface GigabitEthernet0/0
description Management
speed 1000
duplex full
nameif Inside
security-level 100
ip address 172.21.20.1 255.255.255.0 standby 172.21.20.2
!
interface GigabitEthernet0/1
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.20
description Data
vlan 20
nameif data
security-level 50
ip address 172.16.18.1 255.255.255.0 standby 172.16.18.2
access-list wccp-servers permit ip host 172.16.18.40 any
access-list wccp-traffic permit ip 172.16.18.0 255.255.255.0 any
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface data web-cache redirect in
sh wccp
Global WCCP information:
Router information:
Router Identifier: 172.21.20.1
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 602
Redirect access-list: wccp-traffic
Total Connections Denied Redirect: 0
Total Packets Unassigned: 115
Group access-list: wccp-servers
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
WCCP interface configuration:
GigabitEthernet0/1.20
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
I suspect my issue is that the ASA is generating a Router Identifier of 172.21.20.1 which is my inside network and the barracuda cannot communicate with it. Any ideas as to how I can get this working ?
11-01-2012 10:46 AM
Hello Phillipe,
Yes, You nail it down.
With this Setup the asa is going to generate a Router ID and Just like OSPF is going to use the higher Ip . In this scenarios should use the interface where the Iron port is. But sometimes the higher is the outside interface ( public one) so we are going to have an issue and there is no solution . The Iron Ports servers can handle this. Other than those ones cannot.
Just like OSPF is going to use the higher Ip as the Router Identifier so when he SENDS the packets to the server is going to send it with the wrong ip
Regards
11-01-2012 11:19 AM
Thats what I feared, there is no way for force the router ID on the ASA ?
11-01-2012 11:37 AM
Hello Phillippe,
Exactly , no way, Sorry to inform you that,
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide