Bluecoat Proxy with Cisco ASA

psullivan1984 · ‎05-01-2017

I know this is a Cisco forum but a lot of talented people visit these sites and may hopefully be able to point me in the right direction.

We are trying to implement a new Bluecoat Proxy ASG running version. The intent is to use the same proxy for more than 1 security zone, inside and dmz. The inside interface is configured with WCCP is actively proxying traffic. We are attempting to setup the DMZ interface with a pass-through group. When we configure the proxy for a pass-through group, users cannot access the internet via 80 or 443 but can ping, do DNS lookups, etc. When we did a packet capture on the firewall for the DMZ zone, the proxy is sourcing traffic from the IP address configured for the management interface for port 80 and 443 traffic. The firewall cannot route packets to the same IP on different interfaces, so it cannot correctly deliver traffic. The really strange part is, the Proxy is using the MAC address of the correct interface (that which is connected to the DMZ interface of the pass-through group on the Proxy). It is essentially forwarding from the correct MAC address but incorrect IP address.

Looking for solutions to this problem if anyone has experience.

Philip D'Ath · ‎05-02-2017

I believe the ASA has to be layer 2 adjacent to the WCCP proxy for the interface being redirected.

So if you redirect the inside interface the wccp proxy needs to be on the inside interface. If you redirect the dmz interface the wccp proxy needs to be on the dmz interface.

If you redirected both - the proxy would need to be directly attached to both. But then that would mess up the routing on the proxy something terribly, as you could easily end up with non-symmetric paths through the ASA breaking everything.