cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9963
Views
4
Helpful
18
Replies

ASA WCCP From Multiple Interfaces

rmeans
Level 3
Level 3

I use WCCP to interact with my IronPort web filter.  Currently my WSA (web filter) sits on my inside network.  WCCP is configured to redirect inside traffic to the WSA off of the inside interface.  It is my understanding that my ASA (8.2) can not redirect web traffic coming into the DMZ interface to the WCCP device (WSA) off of the inside interface.  I have been told by a sales rep that ASA 8.3 now supports this.  I have not been able to find any Cisco documentation.

Anyone familiar or have tested this.

Thanks

18 Replies 18

I cannot get this working either, the first working service ID grabs all the buckets and the second service ID that registers will not get a hash allotment nor any buckets. Can you explain what you did with PBR to to get this to work? I have multiple DMZ's with Cisco WSA tagged to each DMZ that I want to redirect for but can only get one wccp service ID per firewall context to work.

cannot get this working either, the first working service ID grabs all the buckets and the second service ID that registers will not get a hash allotment nor any buckets. Can you explain what you did with PBR to to get this to work? I have multiple DMZ's with Cisco WSA tagged to each DMZ that I want to redirect for but can only get one wccp service ID per firewall context to work.

What you are seeing is correct the first bucket grabs everything and doesn't allow traffic to be distributed to other service ID's. Using PBR to overcome this is what we came up with for this type of deployment.

This looks like a good solution for context a, then now my context b and context c for example which are already working with wccp from a single interface.  I suppose I also have to do the same setup on the other contexts now using PBR and cannot use the wccp from anywhere else. So for pointing the PBR to the WSA now, can the route-map be pointed back out the Inside interface, or the same Interface where the traffic is coming from, as in the example you show, you have it on a separate interface of DMZ for the WSA's proxy IP.

Review Cisco Networking for a $25 gift card