08-19-2011 09:43 AM - edited 03-11-2019 02:14 PM
Please forgive me at my knowledge of wccp is limited.
I have an ASA firewall with the following two commands on it:
wccp 7 redirect-list BlueCoat
wccp interface inside 7 redirect in
==============
This is also on the firewall
object-group network BlueCoat
description *** List of Servers to deny cache of bluecoat ***
network-object host 10.20.30.50
network-object host 10.20.30.60
network-object host 10.20.30.68
network-object host 10.20.30.133
network-object host 10.20.30.180
network-object host 10.20.30.222
network-object host 10.20.30.225
network-object host 10.20.30.232
network-object host 10.20.30.235
network-object host 10.20.132.41
network-object host 10.20.132.42
network-object host 10.20.134.53
network-object host 10.20.30.148
network-object host 10.20.30.92
network-object host 10.20.25.40
network-object host 10.20.25.45
network-object host 10.20.135.20
network-object host 10.20.30.80
================
Is it possible for me to exclude 10.20.34.222 from being redirected to the blue coat so it goes directly out the firewall while leaving everything else in place?
Any clarification on what the two inital commands mean would be helpful as well?
Thank you.
Lynne
08-19-2011 11:06 AM
Hi,
Have a look at this you can try this:
access-list wccp-traffic deny tcp host 10.20.34.222 any eq www (this entry will bypass wccp) access-list wccp-traffic permit ip any any (or you can specify the specific source subnet) Create Access List called "wccp-server" for Web Filter access-list wccp-servers extended permit ip host 10.x.x.x any (where 10.x.x.x is the ip of the WCCP Server and assumes all web traffic hitting LAN interface will be rerouted) wccp web-cache redirect-list wccp-traffic group-list wccp-servers wccp interface inside web-cache redirect in
The first command would Specify the access-list that needs to be re-directed to the web filter
and also allow the traffic for the web filter to reach out to internet.
The second command tells where is the web filter connected to the firewall in the network.
Hope this helps.
Thanks,
Varun
Please do rate helpful posts.
08-19-2011 11:07 AM
If you want to know more, here is a doc:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1094445
Thanks,
Varun
08-29-2011 10:46 AM
So does that mean the below would be the changes and config I would need
no wccp 7 redirect-list BlueCoat
no wccp interface inside 7 redirect in
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in
access-list wccp-servers extended permit ip host 10.x.x.x any
access-list wccp-traffic deny tcp host 10.20.34.222 any eq www
access-list wccp-traffic permit ip any any
object-group network BlueCoat
description *** List of Servers to deny cache of bluecoat ***
network-object host 10.20.30.50
network-object host 10.20.30.60
network-object host 10.20.30.68
network-object host 10.20.30.133
network-object host 10.20.30.180
network-object host 10.20.30.222
network-object host 10.20.30.225
network-object host 10.20.30.232
network-object host 10.20.30.235
network-object host 10.20.132.41
network-object host 10.20.132.42
network-object host 10.20.134.53
network-object host 10.20.30.148
network-object host 10.20.30.92
network-object host 10.20.25.40
network-object host 10.20.25.45
network-object host 10.20.135.20
object-group network BlueCoat2
description *** List of outside servers to deny cache of bluecoat ***
network-object host 206.90.20.231
network-object host 206.24.131.64
network-object host 209.202.170.101
network-object host 205.140.206.143
08-29-2011 10:56 AM
Thats correct, you would need this.
Thanks,
Varun
09-09-2011 10:35 AM
Thank you.
The customer decided not to do it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide