Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2334
Views
0
Helpful
7
Replies

WCCP configuration

Miguel Ortega
Level 1
Level 1

‎10-03-2012 06:00 AM - edited ‎03-11-2019 05:03 PM

hi to everyone

This question maybe has been done before

i have some problems and doubts about WCCP configuration on ASA 8.2

(I hope that someone who has configurated Websense and ASA using WCCP read this )

I have tested two configurations

below the first one

access-list wccp-users-trafico extended permit ip object-group Navegacion_filtrado_Websense any

access-list wccp-server-client extended permit ip host WEBSENSE_PROXY any

wccp 0 redirect-list wccp-users-trafico group-list wccp-server-client

wccp interface LAN 0 redirect in

Where

"Navegacion_filtrado_Websense" is a group created in order to apply Websense filter just for some users

WEBSENSE_PROXY is our Websense Content Gateway

I have checked with: debug wccp packets and "I see you" and "Here i am" msges are present,  also show Wccp  display wccp version

the second one is almost the same but i found it on Websense support page and I adapted to my network

access-list wccp-users-trafico extended deny ip host WEBSENSE_PROXY any

access-list wccp-users-trafico extended deny ip host WS_APPLIANCE any 

access-list wccp-users-trafico extended deny ip host 10.0.0.0 255.0.0.0 any

access-list wccp-users-trafico extended deny ip host 172.16.0.0  255.240.0.0 any

access-list wccp-users-trafico extended deny ip host 192.168.0.0  255.255.0.0 any

access-list wccp-users-trafico extended permit tcp any any eq www

access-list wccp-users-trafico extended permit ip object-group Navegacion_filtrado_Websense any

access-list wccp-server-client extended permit ip host WEBSENSE_PROXY any

wccp 0 redirect-list wccp-users-trafico group-list wccp-server-client

wccp interface LAN 0 redirect in

the result is the same with debug wccp packets , i see all the msges and show wccp , display the correct version and Ip address also Websense engine shows ASA IP address

But with none of these configurations i can´t get  traffic redirected to proxy Websense and just received from de browser timeouts looks like

traffic goes to nowhere and is not redirected for autorization to the proxy.

Thanks in advance for any help or clue about this (sorry about my English, spanish is my first language)

Miguel

Labels:
0 Helpful
7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-03-2012 07:35 AM

Hello Miguel,

Instead of  wccp 0 redirect-list wccp-users-trafico group-list wccp-server-client can you use

wccp web-cache group-list wccp-server-client  redirect-list wccp-users-trafico

Then provide me the following outputs:

show wccp web-cache

show wccp interface

Any other question..Sure..Just remember to rate all of my answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Miguel Ortega
Level 1
Level 1
In response to Julio Carvajal

‎10-03-2012 09:35 AM

Thanks for your reply

i will try that today later at nigh, because at working hours I can´t do any modification over the ASA

configuration

0 Helpful

Miguel Ortega
Level 1
Level 1
In response to Julio Carvajal

‎10-04-2012 04:59 AM

I have tried with web-cache but nothing happens theres no information or comunicaction showed with

show wccp-cache

Websense just allow me use numbers for protocols, i mean 0 for http or 70 for https

when i use 0 for http i have the following ouput, where IP addres of ASA and websense is

Global WCCP information:
    Router information:
        Router Identifier:                   2XX.2X.1XX.3X
        Protocol Version:                    2.0

    Service Identifier: 0
        Number of Cache Engines:          1
        Number of routers:                   ´  1
        Total Packets Redirected:            0
        Redirect access-list:                wccp-users-trafico
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   wccp-server-client
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

FW# sh wccp interfaces

WCCP interface configuration:
    GigabitEthernet0/2
        Output services: 0
        Input services:  1
        Mcast services:  0
        Exclude In:      FALSE

0 Helpful

MooreIT01
Level 1
Level 1
In response to Miguel Ortega

‎10-04-2012 09:19 AM

Have your verified your Websense configuration? 

Couple of videos that were helpfull in setting it up for me:

http://www.youtube.com/watch?v=2Z15RCSDSUA

https://www.websense.com/support/article/webinar/Webinar-Configuring-WCCP-v2-with-Websense-Content-Gateway-the-Web-proxy-for-Web-Security-Gateway

You should see some statistics on the show wccp output if it's working:

Global WCCP information:

    Router information:

        Router Identifier:                   172.16.1.1

        Protocol Version:                    2.0

    Service Identifier: 0

        Number of Cache Engines:             1

        Number of routers:                   1

        Total Packets Redirected:            27337696

        Redirect access-list:                WS_REDIRECT

        Total Connections Denied Redirect:   132705

        Total Packets Unassigned:            90

        Group access-list:                   PROXY_WS

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total Bypassed Packets Received:     0

Here's my config if it helps:

wccp interface inside 0 redirect in

access-list PROXY_WS extended permit ip host 10.33.1.34 any

access-list WS_REDIRECT extended deny ip host 10.33.1.34 any

access-list WS_REDIRECT extended deny ip object WEBSNS_MGMT any

access-list WS_REDIRECT extended deny ip 10.33.1.0 255.255.255.0 any

access-list WS_REDIRECT extended deny ip any 10.0.0.0 255.0.0.0

access-list WS_REDIRECT extended deny ip any 192.168.0.0 255.255.0.0

access-list WS_REDIRECT extended deny ip any 172.16.0.0 255.255.0.0

access-list WS_REDIRECT extended permit ip any any

wccp 0 redirect-list WS_REDIRECT group-list PROXY_W

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Miguel Ortega

‎10-04-2012 09:41 AM

The WCCP setup looks correct,

As Moorel said, make sure the Websense server is up and running as it should be

Let's create some captures just to show you the ASA is re-directing the traffic using the GRE tunnel

cap WCCP interface LAN match gre ASA_IP WCCP_Server_IP

Then do a show cap WCCP and let us know the output,

Remember to rate all of the helpful posts

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Miguel Ortega
Level 1
Level 1
In response to Julio Carvajal

‎10-12-2012 07:44 AM


I have checked all things that Juilo and MoorelT01 said, and ican´t get any redirection from traffic,

Now i think that i have found something , inside interface from my ASA is connected to a Catalyst 3750 (L3) and Proxy Websense too, both are in the same VLAN , is that configuration  affecting the comunication between this two equiptment ?.

I have checked a lot of tutorials also but none of then said anything about connection this two devices just show  the equipments connected through switch or even a hub, is there a problen usign L3 devices between with VLANS ?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Miguel Ortega

‎10-12-2012 10:24 PM

Hello Miguel,

At this point, I would like to see a diagram about all the pieces of hardware and software in between that are taking place in here

This will help us to provide you the solution

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card