04-23-2015 08:12 AM - last edited on 03-25-2019 05:55 PM by ciscomoderator
Hi,
I've set-up WCCP which has been working great. However I have found out that when the proxy is offline that traffic is being forward out of the appliance regardless. What I want is my traffic to be filtered by the proxy and if the proxy is offline no traffic is passed ? Is this possible ?
Thanks
Ed
Solved! Go to Solution.
04-23-2015 10:06 PM
Hi,
Not available currently.
This is the enhancement:- CSCtl20957 and will hopefully be integrated in future.
https://tools.cisco.com/bugsearch/bug/CSCtl20957/?reffering_site=dumpcr
Thanks and Regards,
Vibhor Amrodia
04-23-2015 10:06 PM
Hi,
Not available currently.
This is the enhancement:- CSCtl20957 and will hopefully be integrated in future.
https://tools.cisco.com/bugsearch/bug/CSCtl20957/?reffering_site=dumpcr
Thanks and Regards,
Vibhor Amrodia
04-24-2015 07:34 AM
Thanks - unfortunately I don't have access to that bug.
What do users do at present to deal with this, just let unfiltered traffic through ?
Thanks
Ed
04-24-2015 11:07 AM
Hi,
If you want , i can provide a Workaround for this as well.
You can create an outbound ACL on the Outside interface allowing only the WCCP services for the Source as WCCP server IP and denying the rest of the WCCP services traffic.
Also at the end , put a permit ip any any.
Thanks and Regards,
Vibhor Amrodia
04-27-2015 07:50 AM
Thanks - could you clarify this a bit more ?
At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.
My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.
Thanks
Ed
04-28-2015 06:40 AM
Hi,
This Outbound ACL that you are referring to is on which interface ? Inside ? Correct ?
I was recommending you an ACL in OUT direction on the outside interface where the connection will be sourced from the proxy IP to the internet.
If you have an ACL on the inside for the Outbound traffic , that would not affect the traffic or this workaround.
You can check the order in which the ACL are used using Packet Tracer:-
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Thanks and Regards,
Vibhor Amrodia
04-27-2015 07:51 AM
Thanks - could you clarify this a bit more ?
At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.
My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.
Thanks
Ed
04-27-2015 09:17 PM
Hi,
I think the ACL you are pointing at is the ACL on the Inside interface.
I was recommending to put an acl on the Outside interface in the OUT direction and only allow the traffic out only from the source which is the IP address of the proxy.
So something like this:-
access-list wccp-fail-close permit tcp host <wccp server ip> any eq 443
access-list wccp-fail-close permit tcp host <wccp server ip> any eq 80
access-list wccp-fail-close deny tcp any any eq 443
access-list wccp-fail-close deny tcp any any eq 80
access-list wccp-fail-close permit ip any any
Thanks and Regards,
Vibhor Amrodia
04-28-2015 06:12 AM
Thanks - sorry about the duplicate replies, my browser went nuts.
My understanding for this is that I can only have one ACL per interface ? I currently have inbound ACLs on three interfaces. One per interface. Would I have to change my outside interface (internet facing) to have a ACL which is in the OUT direction and lose my IN direction ACL ?
Thanks
Ed
04-27-2015 07:54 AM
Thanks - could you clarify this a bit more ?
At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.
My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.
Thanks
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide