Can someone help clarrify some things. I read that WCCP is supposed to support failover. I want to WCCP redirect some web traffic to a proxy. If that proxy is not avvailable the I want to redirect it to another "backup" proxy but when looking at the WCCP settings in ASDM and the cli commands I dont see where yuo configure a second address to redirect to. How does this failover actually work?
Great that explains it thanks. From what im reading about ASA WCCP implemntation the client and the "proxy" have to both be reachable on the same interface as WCCP. You cant redirect the request to a "proxy" that might be sitting on a DMZ of another interface, is that correct?
In this case what if the "proxy" is on another vlan that is still on the same interface, is that ok?
What if the "proxy" is on another subnet, maybe even a different location. Is it still ok provided that is reached via the same interface the original request was recieved on?
Also one more thing I read that there has to be a rule permitting the traffic for WCCP to intercept it. IS that correct? So that would mean if I want to recirect all traffic from host A out to te internet then not only do I have to put an ACL in the WCCP to redirect traffic from that host but there must also be a rule saying Host A on ANY port has a permit tot he internet? That seems risky to me, if your "proxy" goes down wont it just thne allow the traffic out? I would not want that.
Same interface in this case means same instance of interface (as seen in "show nameif").
You are also correct on the ACL issue. ACLs ARE processed before WCCP.
An ingress access list entry always takes higher priority over WCCP. For example, if an access list does not permit a client to communicate with a server, then traffic is not redirected to a cache engine. Both ingress interface access lists and egress interface access lists are applied.
But that actually helps you address a situation where users could access internet without WCCP present.
On the outside interface in egress direction you can DENY any tcp/80 traffic unless it's coming from one of the proxies.
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 126.96.36.199Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 188.8.131.52R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...