10-06-2011 05:49 PM - edited 03-11-2019 02:35 PM
Hello,
I'm working on a WCCP issue with TAC and the TAC engineer told me that WCCP redirect only works if the redirected traffic (the permit ACL), the web-cache server, and the redirect interface are all on the same subnet. After looking into this it seems like that is not the case, otherwise you'd need a different IronPort WSA for every different subnet, no? Can anyone clarify what the actual requirements are?
Thanks!
10-06-2011 07:42 PM
That is a correct statement for WCCP on an ASA firewall.
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_wccp.html
ASA only supports both client and cache engine when they are connected from behind the same interface.
10-06-2011 08:26 PM
Yep, I saw that. But does that require that the entire redirect list be on the same subnet as clients and engine? The customer says WCCP is working at a different site and that site's redirect list included several different subnets and are also on different subnets than the cache server. Also in that case the clients and engine can communicate without going through the firewall.
10-06-2011 08:43 PM
No, it doesn't need to be in the same subnet, as long as all those subnets when it reaches the ASA is connected to the same ASA interface as the cache-engine. You can have as many subnets as you like, however, it can only arrive on the same ASA interface as the cache engine.
Eg:
Supported:
10.10.10.0/24, 20.20.20.0/24, 30.30.30.0/24 are the clients, and connects to the ASA inside interface, and cache engine is also connected to the ASA inside interface.
Not Supported:
10.10.10.0/24 - client, ASA inside interface, cache engine - ASA inside interface
20.20.20.0/24 - client, ASA DMZ-1 interface
30.30.30.0/24 - client, ASA DMZ-2 interface
In this case, only 10.10.10.0/24 is supported, the other 2 subnets aren't supported.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide