Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
2
Replies

WCCP - HTTPS Redirection

spencermoore
Level 1
Level 1

‎06-16-2016 11:34 AM - edited ‎03-12-2019 12:54 AM

Hello, everyone. Need some assistance with WCCP HTTPS redirection. I've applied the configurations, but it seems the ASA isn't redirecting any HTTPS traffic. I've confirmed with the web-filter support personnel that the traffic never arrives at the appliance. Web-cache (port 80) is working without issue. After generating traffic from a test machine I do not see the ACL counters increment. Any help would be much appreciated!!

asa912-smp-k8.bin / ASA5515x

Config:

wccp web-cache redirect-list WCCP_REDIRECT_HTTP group-list WCCP_GROUP
wccp 70 redirect-list WCCP_REDIRECT_HTTPS group-list WCCP_GROUP
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in

Show:


Global WCCP information:
Router information:
Router Identifier: 192.168.254.1
Protocol Version: 2.0

Service Identifier: 70
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 0
Redirect access-list: WCCP_REDIRECT_HTTPS
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: WCCP_GROUP
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

WCCP Routers Informed of:
-none-

WCCP Cache Engines Visible:
-none-

WCCP Cache Engines NOT Visible:
-none-

Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎06-16-2016 04:25 PM

Hi

could you give more information please?

Does web cache server and clients are behind the same interface of the asa? Otherwise it will never work. I mean if inside asa interace is on the network 192.168.0.0/24, webcache server and clients must be on the same segment.

if you are respecting this prerequisite, config looks like as below:

acl for classifying all webcache server:

access-list wccp-srv permit ip host 192.168.x.x any ==> web cache server ip

Acl for traffic that needs to be redirected:

access-list wccp-clients permit tcp 192.168.x.0 255.255.255.0 any eq 443 ==> you want to redirect only hhtps traffic

Enable wccp:

wccp web-cache group-list wccp-srv redirect-list wccp-clients

Redirect traffic on the inside:

wccp interface inside web-cache redirect in

could you compare your config with this template?

hope this is clear.

You can also use service-id, take a look on :

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116046-config-wccp-asa-00.html

thanks.

PS: please don't forget to rate and mark as correct answer if this solved your issue.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Kias
Level 1
Level 1

‎08-25-2016 11:59 PM

Hi,

ACL:

access-list wccp-http extended deny ip host <wccp server ip> any
access-list wccp-http extended permit tcp object-group <LAN subnet> any eq www
access-list wccp-https extended deny ip host <wccp server ip> any
access-list wccp-https extended permit tcp object-group <LAN subnet> any eq https
access-list wccp-server extended permit ip host <wccp server ip> any

The acl is built for http, https and wccp-server as above. This configuration works for us.

Have you checked the traffic on wccp server interface(gre) for any https traffic using tcpdump/ngrep?

If you can't see the traffic it could be router identfier issue on the asa or firewall settings on the wccp-server.

Kindly advise.

Regards,

Kias

Kias
Fonicom Limited
raiseaticket Malta
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card