I have a doubt and hopefully someone can assist me on this. My client would like to deploy Web Cache WCCP solution. The Web Cache server is situated on a different interface of a Cisco ASA FW (nameif dmz2) , and the LAN users are situated on different interface of a Cisco ASA FW (nameif inside), as well. I checked on the Cisco website, it says this design cannot be done as the Web Cache server and the LAN users must belong under the same interface http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/access_wccp.html#wp1101443
However, if it's URL filtering, the URL filtering server can sit on a different interface of a Cisco ASA FW, and the LAN users on different interface of a Cisco ASA FW. This will work.
My question here is what's the difference between Web Cache and URL filtering? How come one solution doesn’t allow the server and the user to be on a separate interface, while another does. Please kindly elaborate. Sorry if I'm asking a silly question.
Note: Cisco ASA 5520 version 8.4.X and
Solved! Go to Solution.
The difference between one option and the other one is that the WCCP will build an GRE tunnel between the ASA and the WCCP server,then they will exchange the HTTP information from the clients to the server using that GRE tunnel. After the WCCP server performs the HTTP request he will delivere it to the client on the Local lan.
So Traffic will look like
Client making the HTTP Request, that request reaches the ASA, The ASA builds a GRE tunnel to the server and redirects the HTTP request from the client.
The WCCP performs the HTTP request to the HTTP server, then he will keep the information from that HTTP query on its cache for future use.
Finaly the WCCP server will deliver the request to the client on the LAN.
As you can see there is no way for this to work if the WCCP server and the clients were on a different interface.
Hope I was clear.
"Finaly the WCCP server will deliver the request to the client on the LAN"
Thats the killing part, the traffic will be forwarded to the client from the WCCP "spoofing the outside server address" , if the client were on a different interface of the firewall, that packet that carries the information from the server back to the client will reach the firewall with the public IP. Of course the ASA is going to drop it as it violates reverse path check.
Bottom line, asymmetric Routing.
But why on the router works fine? Cuz it simply doesnt care, any stateful firewall will (should) drop it.
I still don't understand, bro!
Hi Master jcarvaja
Yes, I understand that Cisco ASA will cache all HTTP query in WCCP mode but what I don’t understand is, why can’t the WCCP server deliver the HTTP request to the client on the LAN, sitting on a different interface? Is is because the redirects of the HTTP request from the client, is a non-IP network traffic? How come URL-Filtering can achieve this instead?
Hi Master Maykol Rojas
The HTTP information from the server back to the client will reach the firewall with a private IP Address, as the WCCP Server will be placed on a private segment, but different interface from the client. How come URL-Filtering can achieve this instead?