Solved: Cisco ASA FW - WCCP Versus URL Filtering

Ramraj Sivagnanam Sivajanam · ‎08-19-2012

Hi There

I have a doubt and hopefully someone can assist me on this. My client would like to deploy Web Cache WCCP solution. The Web Cache server is situated on a different interface of a Cisco ASA FW (nameif dmz2) , and the LAN users are situated on different interface of a Cisco ASA FW (nameif inside), as well. I checked on the Cisco website, it says this design cannot be done as the Web Cache server and the LAN users must belong under the same interface http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/access_wccp.html#wp1101443

However, if it's URL filtering, the URL filtering server can sit on a different interface of a Cisco ASA FW, and the LAN users on different interface of a Cisco ASA FW. This will work.

My question here is what's the difference between Web Cache and URL filtering? How come one solution doesn’t allow the server and the user to be on a separate interface, while another does. Please kindly elaborate. Sorry if I'm asking a silly question.

Note: Cisco ASA 5520 version 8.4.X and

Warm regards,
Ramraj Sivagnanam Sivajanam

Julio Carvajal · ‎08-20-2012

Hello Ramraj,

Remember this :

"Finaly the WCCP server will deliver the request to the client on the LAN."

As this is going to happen the WCCP server will spoof the ip address from the Web-site but that traffic will go directly to the client without getting to the ASA.

Now what happens if the ASA receives on it's inside interface a packet to the client from the ip address of the outside user ( being spoofed by the websense? The Unicast Reverse Path Forwarding will drop the packet.

That is why it MUST be on the same interface so the ASA does not receive those spoof packets as my co-worker Maykol said.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-19-2012

Hello Ramraj,

The difference between one option and the other one is that the WCCP will build an GRE tunnel between the ASA and the WCCP server,then they will exchange the HTTP information from the clients to the server using that GRE tunnel. After the WCCP server performs the HTTP request he will delivere it to the client on the Local lan.

So Traffic will look like

Client making the HTTP Request, that request reaches the ASA, The ASA builds a GRE tunnel to the server and redirects the HTTP request from the client.

The WCCP performs the HTTP request to the HTTP server, then he will keep the information from that HTTP query on its cache for future use.

Finaly the WCCP server will deliver the request to the client on the LAN.

As you can see there is no way for this to work if the WCCP server and the clients were on a different interface.

Hope I was clear.

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Maykol Rojas · ‎08-19-2012

"Finaly the WCCP server will deliver the request to the client on the LAN"

Thats the killing part, the traffic will be forwarded to the client from the WCCP "spoofing the outside server address" , if the client were on a different interface of the firewall, that packet that carries the information from the server back to the client will reach the firewall with the public IP. Of course the ASA is going to drop it as it violates reverse path check.

Bottom line, asymmetric Routing.

But why on the router works fine? Cuz it simply doesnt care, any stateful firewall will (should) drop it.

Mike

Ramraj Sivagnanam Sivajanam · ‎08-19-2012

I still don't understand, bro!

Hi Master jcarvaja

Yes, I understand that Cisco ASA will cache all HTTP query in WCCP mode but what I don’t understand is, why can’t the WCCP server deliver the HTTP request to the client on the LAN, sitting on a different interface? Is is because the redirects of the HTTP request from the client, is a non-IP network traffic? How come URL-Filtering can achieve this instead?

Hi Master Maykol Rojas

The HTTP information from the server back to the client will reach the firewall with a private IP Address, as the WCCP Server will be placed on a private segment, but different interface from the client. How come URL-Filtering can achieve this instead?

Warm regards,
Ramraj Sivagnanam Sivajanam

Julio Carvajal · ‎08-20-2012

Hello Ramraj,

Remember this :

"Finaly the WCCP server will deliver the request to the client on the LAN."

As this is going to happen the WCCP server will spoof the ip address from the Web-site but that traffic will go directly to the client without getting to the ASA.

Now what happens if the ASA receives on it's inside interface a packet to the client from the ip address of the outside user ( being spoofed by the websense? The Unicast Reverse Path Forwarding will drop the packet.

That is why it MUST be on the same interface so the ASA does not receive those spoof packets as my co-worker Maykol said.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ramraj Sivagnanam Sivajanam · ‎08-21-2012

Thanks a million jcarvaja and Maykol Rojas. I think I understand what you're trying to tell me.

Warm regards,
Ramraj Sivagnanam Sivajanam