08-02-2011 06:56 AM - edited 03-11-2019 02:06 PM
Hi all,
We are in the process of migrating our old proxy server with an Ironport appliance. The Ironport device is located in the inside interface of the firewall.
The configuration is the following:
wccp 90 redirect-list HTTP-FILTER-ACL
wccp 120 redirect-list HTTPS-FILTER-ACL
wccp interface inside 90 redirect in
wccp interface inside 120 redirect in
access-list HTTP-FILTER-ACL extended deny ip any LSL-1st-FLOOR 255.0.0.0
access-list HTTP-FILTER-ACL extended deny ip any 172.16.0.0 255.240.0.0
access-list HTTP-FILTER-ACL extended deny ip any 192.168.0.0 255.255.0.0
access-list HTTP-FILTER-ACL extended permit tcp 172.16.0.0 255.240.0.0 any eq www
access-list HTTP-FILTER-ACL extended permit tcp LSL-1st-FLOOR 255.0.0.0 any eq www
access-list HTTP-FILTER-ACL extended permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list HTTPS-FILTER-ACL extended deny ip any LSL-1st-FLOOR 255.0.0.0
access-list HTTPS-FILTER-ACL extended deny ip any 172.16.0.0 255.240.0.0
access-list HTTPS-FILTER-ACL extended deny ip any 192.168.0.0 255.255.0.0
access-list HTTPS-FILTER-ACL extended deny tcp LSL-1st-FLOOR 255.255.255.0 host 82.116.222.1 eq https
access-list HTTPS-FILTER-ACL extended permit tcp LSL-1st-FLOOR 255.0.0.0 any eq https
access-list HTTPS-FILTER-ACL extended permit tcp 192.168.0.0 255.255.0.0 any eq https
access-list HTTPS-FILTER-ACL extended permit tcp 172.16.0.0 255.240.0.0 any eq https
Everything works as expected.
Now we need to do that to our VPN users as well. Our VPN users were using a specific proxy server value in the VPN settings box like the following:
msie-proxy server value 192.168.0.216:8080
The question is: How can i make the VPN users get redirected via WCCP to the ironport appliance? Note that the VPN users come from the internet (outside interface) and the Ironoprt devices are in the inside interface.
Thanks in advance.
P.S note that split tunnelling is a security issue and we do not recommend it.
Solved! Go to Solution.
08-02-2011 07:40 AM
Hi,
The only topology that the ASA supports is when client and cache engine are behind the same interface, therefore VPN is not supported.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_wccp.html#wp1123521
Adam
08-02-2011 07:40 AM
Hi,
The only topology that the ASA supports is when client and cache engine are behind the same interface, therefore VPN is not supported.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_wccp.html#wp1123521
Adam
08-02-2011 10:56 PM
OK, thanks
04-10-2013 08:54 PM
Can't you force the VPN traffic to the inside interface?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide