Solved: Re: WCCP "Whitelist" Redirect List Using FQDN?

jaksptr99 · ‎05-05-2015

Hi all,

I've tried to make a redirect list to some traffic from ASA to Websense. This is part of the configuration:

......

wccp 0 redirect-list REDIRECT_WCCP group-list WEBSENSE
wccp 70 redirect-list REDIRECT_WCCP group-list WEBSENSE
wccp interface inside 0 redirect in

......

access-list REDIRECT_WCCP remark AB
access-list REDIRECT_WCCP extended deny ip host 10.xxx.xxx.xxx any
access-list REDIRECT_WCCP remark VPN
access-list REDIRECT_WCCP extended deny ip any host 211.xxx.xxx.xxx
access-list REDIRECT_WCCP remark PI
access-list REDIRECT_WCCP extended deny ip any host 117.xxx.xxx.xxx

access-list REDIRECT_WCCP extended permit ip object guest-wireless any
access-list REDIRECT_WCCP extended permit ip 10.xxx.xxx.xxx 255.255.254.0 any
access-list REDIRECT_WCCP extended permit ip 10.xxx.xxx.xxx 255.255.255.0 any
access-list REDIRECT_WCCP extended permit ip 10.xxx.xxx.xxx 255.255.254.0 any
access-list REDIRECT_WCCP extended permit ip 10.xxx.xxx.xxx 255.255.254.0 any

.......

and here is the rough topologi:

[Router]

|

[ASA]

|

[Distribution,Clients,etc] ---- [Websense]

From the configuration, it is working well with IP addresses. Note that the DENY means the packet is "Whitelisted" and will not be redirected by WCCP to Websense (WCCP will bypass certain traffic); otherwise the PERMIT means the packet will be redirected to Websense.

Now the PROBLEM is that we need to make the "Whitelist" work with FQDN/domain name, since we are connected with domain that has dynamic IP addresses that changes everytime and it willl be sometimes inaccurate hence time consuming too.

Is that any ALTERNATIVES or a simple solution for this?

Any kind of references or help will be much appreciated.

Sincerely thank you for the help.

Jack.

Vibhor Amrodia · ‎05-06-2015

Hi,

It is not supported and i don't think there can be any workaround for this issue on the ASA device.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎05-05-2015

Hi,

You would not be able to use FQDN based ACL's with the WCCP redirect list.

Thanks and Regards,

Vibhor Amrodia

jaksptr99 · ‎05-06-2015

Thank you for your response. Unfortunately we need FQDN to resolve some domains for Office 360 and Microsoft Lync.

Do you have any other suggestion? maybe like creating new rules or object,or maybe minor tweaking in architecture or something?

Thank you.

Jack.

Vibhor Amrodia · ‎05-06-2015

Hi,

It is not supported and i don't think there can be any workaround for this issue on the ASA device.

Thanks and Regards,

Vibhor Amrodia

jaksptr99 · ‎05-07-2015

ok Vibhor, after searching for some references, it is clear that this is not supported.

thank you.

Jack.

Vibhor Amrodia · ‎05-08-2015

Hi,

I a[apologize but this is not yet supported. I think this might be integrated in the ASA code but not sure about the timeline and the requirement for this feature.

Thanks and Regards,

Vibhor Amrodia

ciscor1senb · ‎11-03-2016

I'm having the same issues and want to define FQDN names in ACL's to whitelist o365 domains in WCCP ACL policy. I'm running WCCP on a C3850 IOS-XE 3.07.00E. I'm wondering you can work with passthru-domain-list and apply it to the ACL WCCP policy in some way?

lori_woodward@acmestores.com · ‎08-08-2018

Not sure if you know but it appears to be working on my ASA. I am running a 5512x with version 9.9.2(1)

But even just recently with this bug ID https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu26174/?rfs=iqvred it states still not supported. I recently setup up some FQDN, not thinking, for a particular vendor we are having proxy issues with and it allowed me to create an object-group with FQDN and place that group in the ACL for WCCP......