WCCP redirect question

jnommensen · ‎10-06-2011

Hello,

I'm working on a WCCP issue with TAC and the TAC engineer told me that WCCP redirect only works if the redirected traffic (the permit ACL), the web-cache server, and the redirect interface are all on the same subnet. After looking into this it seems like that is not the case, otherwise you'd need a different IronPort WSA for every different subnet, no? Can anyone clarify what the actual requirements are?

Thanks!

Jennifer Halim · ‎10-06-2011

That is a correct statement for WCCP on an ASA firewall.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_wccp.html

ASA only supports both client and cache engine when they are connected from behind the same interface.

jnommensen · ‎10-06-2011

Yep, I saw that. But does that require that the entire redirect list be on the same subnet as clients and engine? The customer says WCCP is working at a different site and that site's redirect list included several different subnets and are also on different subnets than the cache server. Also in that case the clients and engine can communicate without going through the firewall.

Jennifer Halim · ‎10-06-2011

No, it doesn't need to be in the same subnet, as long as all those subnets when it reaches the ASA is connected to the same ASA interface as the cache-engine. You can have as many subnets as you like, however, it can only arrive on the same ASA interface as the cache engine.

Eg:

Supported:

10.10.10.0/24, 20.20.20.0/24, 30.30.30.0/24 are the clients, and connects to the ASA inside interface, and cache engine is also connected to the ASA inside interface.

Not Supported:

10.10.10.0/24 - client, ASA inside interface, cache engine - ASA inside interface

20.20.20.0/24 - client, ASA DMZ-1 interface

30.30.30.0/24 - client, ASA DMZ-2 interface

In this case, only 10.10.10.0/24 is supported, the other 2 subnets aren't supported.