06-29-2007 03:11 AM - last edited on 03-25-2019 05:37 PM by ciscomoderator
Hi,
I am a bit tuck on the WCCP method - there seems to be very little documentation on it for PIX. The commands are different to routeres. I tried this so far:
wccp web-cache redirect-list Proxy group-list ProxyWS1000
wccp interface inside web-cache redirect in
ACLs being:
access-list Proxy extended permit tcp 10.1.1.1 255.255.255.240 any eq www
access-list Proxy extended permit tcp 10.1.1.17 255.255.255.240 any eq www
access-list ProxyWS1000 extended permit tcp host 10.1.2.247 any eq www
Would this work ?? Im trying to send 10.1.1.0 thorugh the proxy before going outside. WOuld the ip traffic going through there own assigned NAT pool or using the proxy static ip. (IE as if I had configure the Proxy in IE).
Also a second question - I thought I was being secure by using ACL such as
access-list Test extended permit tcp 10.1.1.0 255.255.255.0 eq www any eq www
But I assume that ports going out from a client are not locked to that service ?? IE port 80 request go from port 80 to port 80 ???
Thanks for any help
Ed
06-29-2007 08:27 AM
Hi,
First check out the following for restrictions and other caveats (based on 7.2):
There's a lot of wccp restrictions compared to what you can do on a router so double-check your architecture - and remove the group-list as it's not necessary if there's only one server.
Note that when using http it's only the destination port of 80 that is fixed - the client source port can be anything in the high port range (1024-65535) so the Test access list probably won't ever match anything.
Lastly, don't forget to check the logs - they are the most useful tool when troubleshooting!
HTH - plz rate if useful..
Andrew.
06-29-2007 08:42 AM
Hi,
Okay Im using a black box proxy will the WCCP command still work on that?? If so where do I tell it in the command the proxy service is ?
For client source ports is this the same for all things such as FTP, SMTP, POP, etc ??
Thanks
Ed
06-29-2007 12:20 PM
Hi,
What I'm trying to do is divert a select group to a proxy without haveing to use a script ??
Thanks
Ed
07-02-2007 12:41 AM
Hi,
WCCP requires that both devices speak WCCP - it won't work if the proxy doesn't support it.
The web-cache service only redirects tcp port 80 so if you need other services you need to define additional services - but this needs them defined on the proxy as well.
HTH
Andrew.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide