Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10857
Views
0
Helpful
15
Replies

WCCP Redirection on ASA

networker99
Level 1
Level 1

‎04-19-2010 05:43 AM - edited ‎03-11-2019 10:34 AM

I am not able to get WCCP working on the ASA (with Websense).  How does the ASA know the IP address of the websense box as I am unable to see it in the configuration?

Below is what I have configured.  My clients go out to the internet but are not redirected to the websense proxy

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=

Internal proxy (websense) 1.1.1.1

Internal network 1.1.1.1/24

ASA configuration

ACL applied to inside interface

access-list inside_in line 4 extended permit tcp 1.1.1.0 255.255.255.0 any eq ssh
access-list inside_in line 5 extended permit tcp 1.1.1.0 255.255.255.0 any eq ftp

access-list inside_in line 6 extended permit tcp 1.1.1.0 255.255.255.0 any eq https
access-list inside_in line 7 extended permit tcp 1.1.1.0 255.255.255.0 any eq www
access-list inside_in line 8 extended permit ip host 1.1.1.1 any

WCCP traffic for redirection
access-list WS-HTTP line 1 extended deny ip host 1.1.1.1 any
access-list WS-HTTP line 2 extended permit tcp any any eq www

WCCP config

wccp web-cache redirect-list WS-HTTP
wccp interface inside web-cache redirect in

Labels:
0 Helpful
15 Replies 15

bobb
Level 1
Level 1
In response to networker99

‎07-12-2010 10:30 AM

It appears the service group is not registered with the ASA.

Websense uses service group 0 (http) and 70 (https) by default.   While web-cace should be service group 0, I suggest using 0 as the service group number.   Once the proxy has registered with the ASA, the proxy's IP address should show up. 

Other items to check for a service group not registering:

- Is UDP port 2048 open between the proxy and ASA (for WCCP messages)  (Debug implies this is working )

- Is the router ID of the ASA routable?  (i.e. can the proxy ping the router id)

As far as the return issue.  I am not sure which return is in question.  If the WCCP return (for bypassed packets in the case of a non-proxy site or load shedding) those will be presented to the ASA via L2 (ip forwarding in some contexts) by Websense and that needs to be reviewed in the design to prevent a loop.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card