WCCP bypass cisco firewall

lkadlik · ‎08-19-2011

Please forgive me at my knowledge of wccp is limited.

I have an ASA firewall with the following two commands on it:

wccp 7 redirect-list BlueCoat

wccp interface inside 7 redirect in

==============

This is also on the firewall

object-group network BlueCoat

description *** List of Servers to deny cache of bluecoat ***

network-object host 10.20.30.50

network-object host 10.20.30.60

network-object host 10.20.30.68

network-object host 10.20.30.133

network-object host 10.20.30.180

network-object host 10.20.30.222

network-object host 10.20.30.225

network-object host 10.20.30.232

network-object host 10.20.30.235

network-object host 10.20.132.41

network-object host 10.20.132.42

network-object host 10.20.134.53

network-object host 10.20.30.148

network-object host 10.20.30.92

network-object host 10.20.25.40

network-object host 10.20.25.45

network-object host 10.20.135.20

network-object host 10.20.30.80

================

Is it possible for me to exclude 10.20.34.222 from being redirected to the blue coat so it goes directly out the firewall while leaving everything else in place?

Any clarification on what the two inital commands mean would be helpful as well?

Thank you.

Lynne

varrao · ‎08-19-2011

Hi,

Have a look at this you can try this:

access-list wccp-traffic deny tcp host 10.20.34.222 any eq www   (this entry will bypass wccp)
access-list wccp-traffic permit ip any any   (or you can specify the specific source subnet) 

Create Access List called "wccp-server" for Web Filter
access-list wccp-servers extended permit ip host 10.x.x.x any (where 10.x.x.x is the ip of
the WCCP Server and assumes all web traffic hitting LAN interface will be rerouted)

wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface  inside web-cache redirect in   

The first command would Specify the access-list that needs to be re-directed to the web filter
and also allow the traffic for the web filter to reach out to internet.

The second command tells where is the web filter connected to the firewall in the network.

Hope this helps.

Thanks,
Varun

Please do rate helpful posts.

Thanks,
Varun Rao

varrao · ‎08-19-2011

If you want to know more, here is a doc:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1094445

Thanks,

Varun

Thanks,
Varun Rao

lkadlik · ‎08-29-2011

So does that mean the below would be the changes and config I would need

no wccp 7 redirect-list BlueCoat
no wccp interface inside 7 redirect in

wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in

access-list wccp-servers extended permit ip host 10.x.x.x any

access-list wccp-traffic deny tcp host 10.20.34.222 any eq www
access-list wccp-traffic permit ip any any

object-group network BlueCoat
description *** List of Servers to deny cache of bluecoat ***
network-object host 10.20.30.50
network-object host 10.20.30.60
network-object host 10.20.30.68
network-object host 10.20.30.133
network-object host 10.20.30.180
network-object host 10.20.30.222
network-object host 10.20.30.225
network-object host 10.20.30.232
network-object host 10.20.30.235
network-object host 10.20.132.41
network-object host 10.20.132.42
network-object host 10.20.134.53
network-object host 10.20.30.148
network-object host 10.20.30.92
network-object host 10.20.25.40
network-object host 10.20.25.45
network-object host 10.20.135.20
object-group network BlueCoat2
description *** List of outside servers to deny cache of bluecoat ***
network-object host 206.90.20.231
network-object host 206.24.131.64
network-object host 209.202.170.101
network-object host 205.140.206.143

varrao · ‎08-29-2011

Thats correct, you would need this.

Thanks,

Varun

Thanks,
Varun Rao

lkadlik · ‎09-09-2011

Thank you.

The customer decided not to do it.