Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1339
Views
0
Helpful
3
Replies

WCCP On Cisco Firewall

munawar.zeeshan
Level 1
Level 1

‎04-03-2011 10:14 PM - edited ‎03-11-2019 01:16 PM

Hi All,

I have configured WCCP from websense (V10K appliance) on Cisco ASA 5520 (8.2.4 code)

My Websense interfaces are on the inside with IP 10.1.0.5 and 10.1.0.6. All the LAN users also come from the Inside interface. The users were using Proxy server (in their browsers) before the implementation of WebSense. Now to allow all the LAN users to send request to Websense interfaces we have to allow www and https from all LAN users towards any. In this case we will need to permit the full subnet like this on the inside.

Access-list ACL_INSIDE permit ip 10.0.0.0 255.0.0.0 any www

Access-list ACL_INSIDE permit ip 10.0.0.0 255.0.0.0 any https

Which we don’t want to.

When I did a packet trace I noticed that the ACL_Inside is evaluated first before the WCCP redirect that’s why permit in ACL_INSIDE is required. Is there any way we can evaluate WCCP redirect before inside ACL ? Packet tracer output is attached herewith.

OR is it the default behavior of firewall and i need to accomodate thorough some ACL tweek.

Labels:
84322-Pakcet tracer.txt.zip
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-04-2011 02:16 AM

Yes, interface ACL will always be applied first and WCCP will come after once traffic has been permitted through the interface ACL. That is the default behaviour of the firewall as it will not allow WCCP to even happen if traffic is being denied on interface level ACL.

If you don't want access for some users at all towards the Internet, then you can configure deny above the permit ACL that you already have for the specific user IP Address.

0 Helpful

munawar.zeeshan
Level 1
Level 1
In response to Jennifer Halim

‎04-04-2011 05:56 AM

Will permitting Intra-interface same security level traffic might help in this case ?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to munawar.zeeshan

‎04-04-2011 10:03 PM

No, that command has nothing to do with WCCP.

"same-security-traffic permit intra-interface" is to allow traffic to go in and out the same interface.

However, in your topology, you will need WCCP to transparent send the traffic to Websense.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card