Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1243
Views
0
Helpful
5
Replies

WCCP on ASA with IPSec VPN users

Go to solution
Igor Rodriguez
Level 1
Level 1

‎01-22-2013 02:33 AM - edited ‎03-11-2019 05:50 PM

Hello all,

I'd like to ask all of you a question about configuring WCCP on an ASA5520.

I'll try to explain the situation the best I can.

We have a Cisco Ironport that is working as Explicit proxy and we want to migrate it to Transparent mode.

We'll change our network topology and Ironport's IP addressing so that it is connected to the inside interface on our ASAs.

I have a doubt though, we only have an ASA system working on Active/Standby Failover and is the main Internet connection. This ASA system is also where our IPSec VPN tunnels end.

My question is: Are we going to be able to configure VPN clients with no proxy settings? Will WCCP redirection work for VPN users? I must say that these VPN users are assigned an IP pool that is a different network from LAN users and ASA's inside interface.

Thank you all for your help.

Best regards,

Igor

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-22-2013 04:25 AM

No, WCCP will not work for VPN Users because on ASA, the WCCP server and client needs to be connecting to the same interface. In your case, since the VPN is connected to the public/outside interface, and the WSA is connected to the inside interface, then this is not supported WCCP redirection on the ASA.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-22-2013 04:25 AM

No, WCCP will not work for VPN Users because on ASA, the WCCP server and client needs to be connecting to the same interface. In your case, since the VPN is connected to the public/outside interface, and the WSA is connected to the inside interface, then this is not supported WCCP redirection on the ASA.

0 Helpful

Go to solution
Igor Rodriguez
Level 1
Level 1
In response to Jennifer Halim

‎01-22-2013 04:32 AM

Thanks Jennifer.

So on our topology, the only way to configure it is maintaining the VPN clients configuring WSA's IP address and using it as explicit, right?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Igor Rodriguez

‎01-22-2013 04:35 AM

Absolutely correct.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/basic_wccp.html#wp1143527

Quoted from above:

"WCCP redirection is supported only on the ingress  of an interface. The only topology that the ASA supports is when client  and cache engine are behind the same interface of the ASA and the cache  engine can directly communicate with the client, without going through  the ASA. "

0 Helpful

Go to solution
Igor Rodriguez
Level 1
Level 1
In response to Jennifer Halim

‎01-22-2013 06:50 AM

Thanks for the aclaration Jennifer.

I had read that, but I wanted to clarify it with someone.

Your answer was really helpful.

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Igor Rodriguez

‎04-10-2013 08:52 PM

Has to be a way

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card