Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1179
Views
15
Helpful
5
Replies

WCCP Questions

Go to solution
Craddockc
Level 3
Level 3

‎09-01-2017 10:20 AM - edited ‎02-21-2020 06:15 AM

Community,

 

Were trying to roll out WCCP and I had some questions that I could not find the answers to online. After reading the following article, although helpful, I did have some questions.

 

https://supportforums.cisco.com/t5/security-documents/asa-wccp-step-by-step-configuration/ta-p/3126636#How_wccp_works

 

1) The article states the following:

 

"The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance."

 

does this mean that the WCCP Server and the clients have to be on the same subnet as the ASA interface doing the redirecting? Or does this mean that only the WCCP server has to be on the same subnet as the interface doing the redirecting? In this depiction, the clients, the interface and the WCCP server are all on the same subnet, but I dont have a flat subnet like this. I have multiple vlans with multiple user subnets who all need to be redirected to the same WCCP server that may exist on a different subnet.

 

2) The paragraph also states that the WCCP Server must have the ability to reach the clients directly without having to traverse the ASA. Does this mean that once the traffic is redirected to the WCCP Server that the return traffic from the WCCP server cannot pass through the ASA again otherwise the flow will fail?

 

My client networks get defaulted routed via vlan 125 (shown below) to the Inside Interface of the ASA for default route processing.

 

Client Networks:

10.132.129.0/24 (vlan 132)

10.134.129.0/24 (vlan 134)

10.140.129.0.24 (vlan 140)

10.144.129.0/24 (vlan 144)

 

0.0.0.0 0.0.0.0 --> 10.125.0.1 (Inside Interface of the ASA)

 

10.125.0.9 (vlan 125 interface on switch, used as transport vlan to route to firewall)

 

In this case, does the wccp server have to be on the 10.125.0.0/24 network? And does the upstream switch connecting to the firewall have to be able to route the traffic back from the wccp server to the clients without going through the inside interface of the firewall again? 

 

Thanks for any help you can provide. 

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-01-2017 07:59 PM

Hi 

 

On asa the limitation is that when you redirect the traffic to wccp server the packet has to go through the same interface. 

If packets from your hosts arrive to your asa interface called inside, the wccp server has to be reachable from the inside interface otherwise it won't work. 

It's not necessary that hosts and wccp server reside to the same subnet. 

 

The direct communication between wccp server and hosts is necessary because when a host tries to reach a website, the traffic is redirected to wccp and wccp server initiate the communication to outside with its own ip. When the internet server replies to wccp, the information is cached and forwarded directly to the host without passing through asa. If you don't have a direct communication it won't work. 

 

Thanks 

 

PS: Please don't forget to rate and select as validated answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Craddockc

‎09-05-2017 08:02 AM

Hi

 

It has to be on the same interface YES but not matter which subnet.

If the server is reachable from another interface it won't work.

 

You can have let's say, your inside subnet (interconnection from ASA to your core switch) and beside the switch you will have multiple vlans.. The server WCCP can reside on any on those subnets (vlans).


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-01-2017 07:59 PM

Hi 

 

On asa the limitation is that when you redirect the traffic to wccp server the packet has to go through the same interface. 

If packets from your hosts arrive to your asa interface called inside, the wccp server has to be reachable from the inside interface otherwise it won't work. 

It's not necessary that hosts and wccp server reside to the same subnet. 

 

The direct communication between wccp server and hosts is necessary because when a host tries to reach a website, the traffic is redirected to wccp and wccp server initiate the communication to outside with its own ip. When the internet server replies to wccp, the information is cached and forwarded directly to the host without passing through asa. If you don't have a direct communication it won't work. 

 

Thanks 

 

PS: Please don't forget to rate and select as validated answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Craddockc
Level 3
Level 3
In response to Francesco Molino

‎09-05-2017 07:59 AM

Francesco,

 

Thanks so much for the reply. So to clarify, the WCCP server must be on the same subnet as the Layer 3 interface of the ASA that is doing the redirection? If the WCCP server resides on a different subnet reachable by a different interface of the ASA it wont work? Even if there are valid routes in the ASA to reach it? 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Craddockc

‎09-05-2017 08:02 AM

Hi

 

It has to be on the same interface YES but not matter which subnet.

If the server is reachable from another interface it won't work.

 

You can have let's say, your inside subnet (interconnection from ASA to your core switch) and beside the switch you will have multiple vlans.. The server WCCP can reside on any on those subnets (vlans).


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Craddockc
Level 3
Level 3
In response to Francesco Molino

‎09-05-2017 09:21 AM

Francesco,

 

Got it! So the traffic destined to the WCCP server MUST traverse the interface thats doing the redirecting to get there. Youre right, this situation doesnt always include the WCCP server being on the same vlan as the interface being used to redirect traffic but the route to the WCCP server must be taken over the same interface. Thanks again for your responses! 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Craddockc

‎09-05-2017 02:51 PM

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card