cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9167
Views
4
Helpful
18
Replies

ASA WCCP From Multiple Interfaces

rmeans
Level 3
Level 3

I use WCCP to interact with my IronPort web filter.  Currently my WSA (web filter) sits on my inside network.  WCCP is configured to redirect inside traffic to the WSA off of the inside interface.  It is my understanding that my ASA (8.2) can not redirect web traffic coming into the DMZ interface to the WCCP device (WSA) off of the inside interface.  I have been told by a sales rep that ASA 8.3 now supports this.  I have not been able to find any Cisco documentation.

Anyone familiar or have tested this.

Thanks

18 Replies 18

praprama
Cisco Employee
Cisco Employee

Hi,

The documentation can be found below:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/wccp.html#wp1113990

The behavior seems to be still the same.

Cheers,

Prapanch

As far as i know the problem, is not the ASA not being able to send the traffic to the Ironport, but the fact that most people are using both L2 and L3 spoofing on the Ironport. When i had this issue, i sniffed it, and it looks like the source mac/ip is coming from the interface where the Ironport is, which the ASA of course won't allow. My solution was to only use wccp for traffic coming from the same interface as the Ironport is on in the ASA.

Panos Kampanakis
Cisco Employee
Cisco Employee

To answer your question, even in 8.3 "WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance.".

In other words, the WCCP engine talks directly to the host computer and that is why it would need to be L2 adjacent.

I hope it helps.

PK


karlchatterton
Level 1
Level 1

Hi Guys,

I got around this issue by configuring my Ironport interface as a dot1q trunk and giving it a L3 interface in each vlan. I then can re-direct on each ASA interface.

Thanks

Karl,

Can I ask how did you setup multiple Group Lists using the web-cache service. I try to add another web-cache service group and it will not allow me as web-cache is in use on the first interface.

The error I get is "The service group web-cache already exisits"

I presume that I need to set up a second group with the additional IP address of the Ironports, since it needs to be layer two adjacent to the client.

Regards,

Scott

Hi Scott,

I configured the WCCP on the ASA as follows.

access-list wccp-traffic extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list wccp-traffic extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list wccp-traffic extended permit tcp 192.168.3.0 255.255.255.0 any eq www

wccp web-cache redirect-list wccp-traffic group-list ironport

wccp interface VLAN-1 web-cache redirect in
wccp interface VLAN-2 web-cache redirect in
wccp interface VLAN-3 web-cache redirect in

The WCCP web-cache is enabled on each interface and the ironport is configured as a do1q trunk with an IP interface in each vlan.

Hope this helps.

Thanks

Thanks Karl,

How do you have your routing set up on the Iron Port on each interface. Do you just have one with a default GW and it uses that for both WCCP interfaces to driect traffic? Or do you use a seperate interface?

Regards,

Scott

Regards,

Scott

Scott,

I have one default route on my management interface. In my case this is vlan2. You can only manage the ironport on one interface and this needs to be untagged on your trunk port to the switch. So in my case I made vlan 2 the native vlan for the trunk to the ironport as this was the interface I wanted to use for management.

This is the same interface as I send my redirect traffic too in the access-list "ironport" above.

The Ironport effectively has 2 connected networks and one default route.

Thanks

Thanks Karl,

Great, we are on track. Since you seem pretty knowlegable about this subject and I am pretty new, one more question...I see that you are only pushing HTTP through to the IronPort. We are inspecting both 80 and 443, but have come accross problems with some sites being broken by the inspection or loss of filtering of certain URLs if we just pass them through, with transparent proxy.

Do you inspect HTTPS?

Regards,

Scott

My customer is currently testing HTTPS inspection by only redirecting for the IP address of one user. I know they were having different experiences with different browsers etc. They are only using self signed certificate on the ironport which means you get cert errors in some cases.

Sorry I'm not able to provide much more help on HTTPS inspection.

Yes, we are seeing some issue also. We have deployed the cert via group policy and for the most part it is working for explicit mode. But it does seem to be a problem in transparent mode. Especially when you want to roll it out in a BYOD scenario, where you do not have control over the end device.

Thanks anyway.

Hi Karlchatterton,

 

I don't quite undestand this point when you said that you have your ironport configured as dot1q trunk.

I have S170 using M1 for management and sending data, I don't where on the WSA configuration an option to do the trunk or dot1q. You can trunk the interface port on the switch, I have my ASA with VLANs on each IP (ex. nameif inside and wireless) those two have different IP, but when I do the second redirection and the wireless users can't surfe the web. and found this on Cisco Website "

Enabling WCCP Redirection

WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance. 

"

On your setting does the WSA have multiple IP address? how you set it up?

 

thanks

Not to revive a dead post from six years ago but this is the top result when searching for ASA, WCCP and multiple interfaces.

So here's how to configure WCCP on multiple interfaces using ASA 9.6(1), Squid 3.5.19, and RHEL 6 with everything persisting after reboot.  You only need one GRE tunnel between Squid and the ASA, however the Squid box needs to have a NIC on each VLAN as others have indicated. 

One key note - the ASA uses it's highest IP for the router ID and that cannot be changed.  To prevent potential issues and confusion I created a dummy wccp interface but in most cases you can probably just use the default highest.

Network Info
ASA inside: 192.168.1.1
ASA dmz: 192.168.2.1
ASA wccp: 192.168.99.1 ("dummy" iface... not really used)
Squid inside:  192.168.1.2
Squid dmz:  192.168.2.2

ASA Config

access-list wccp-servers extended permit ip host 192.168.1.2 any
access-list wccp-traffic extended deny ip host 192.168.1.2 any
access-list wccp-traffic extended deny ip host 192.168.2.2 any
access-list wccp-traffic extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list wccp-traffic extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list wccp-traffic extended deny ip any any
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in
wccp interface dmz web-cache redirect in

Squid
/etc/squid/squid.conf

wccp2_router 192.168.1.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

iptables
/etc/sysconfig/iptables on RHEL based systems

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
COMMIT

RHEL WCCP/GRE tunnel config
/etc/sysconfig/network-scripts/ifcfg-wccp0 (again - RHEL based systems)

DEVICE="wccp0"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="GRE"
LOCAL_DEVICE="bond0"
PEER_OUTER_IPADDR="192.168.99.1"
PEER_INNER_IPADDR="192.168.99.1"
MY_OUTER_IPADDR="192.168.1.2"
MY_INNER_IPADDR="192.168.1.2"
USERCTL="no"
IPV6INIT="no"
IPV6_AUTOCONF="no"

Kernel params
/etc/sysctl.conf (RHEL!!!)

net.ipv4.ip_forward = 1
net.ipv4.conf.bond0.rp_filter = 0
net.ipv4.conf.bond1.rp_filter = 0
net.ipv4.conf.wccp0.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0

Reboot for kernel changes to take effect (this can also be done via the /proc filesystem and no reboot, if necessary).

Unless something has changed in the last year or so and it is possible, you could configure the WSA to use 802.1q VLAN interfaces and they would synch with WCCP on the ASA off the physical inside interface and sub-interfaces however there was an issue where the physical interface on the ASA would grab all available buckets and never redirect traffic to the sub-interfaces. If you've made this work I'd certainly love to see the configuration as we ended up working around this issue using PBR on the later releases of ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: