Showing results for 
Search instead for 
Did you mean: 

WCCP On Cisco Firewall


Hi All,

I have configured WCCP from websense (V10K appliance) on Cisco ASA 5520 (8.2.4 code)

My Websense interfaces are on the inside with IP and All the LAN users also come from the Inside interface. The users were using Proxy server (in their browsers) before the implementation of WebSense. Now to allow all the LAN users to send request to Websense interfaces we have to allow www and https from all LAN users towards any. In this case we will need to permit the full subnet like this on the inside.

Access-list ACL_INSIDE permit ip any www

Access-list ACL_INSIDE permit ip any https

Which we don’t want to.

When I did a packet trace I noticed that the ACL_Inside is evaluated first before the WCCP redirect that’s why permit in ACL_INSIDE is required. Is there any way we can evaluate WCCP redirect before inside ACL ? Packet tracer output is attached herewith.

OR is it the default behavior of firewall and i need to accomodate thorough some ACL tweek.

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, interface ACL will always be applied first and WCCP will come after once traffic has been permitted through the interface ACL. That is the default behaviour of the firewall as it will not allow WCCP to even happen if traffic is being denied on interface level ACL.

If you don't want access for some users at all towards the Internet, then you can configure deny above the permit ACL that you already have for the specific user IP Address.

Will permitting Intra-interface same security level traffic might help in this case ?

No, that command has nothing to do with WCCP.

"same-security-traffic permit intra-interface" is to allow traffic to go in and out the same interface.

However, in your topology, you will need WCCP to transparent send the traffic to Websense.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers