cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11968
Views
10
Helpful
9
Replies

WCCP Redirection on Firepower FTD 2110

nimalrajphilips
Level 1
Level 1

Hello All,

 

Has anyone configured transparent WCCP redirection on Cisco FTD managed by FMC? I couldn't find any online referrals for this. Appreciate the expert help.

 

Thank you

Nimalraj

9 Replies 9

Marvin Rhoads
Hall of Fame
Hall of Fame

There is a flexconfig template for it as of release 6.2. I've not had any success with getting it to work just yet though.

 

I admit comprehension of the Velocity scripting language they use in the template is poor ...but the explanation of the template is even more poor. :)

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html#id_39923

Marvin, did you had any luck with WCCP in getting it to work?

No - I haven't had time to dig back into it. It's on my "to do list" though.

 

I'd be happy to learn from somebody else though.

This is what I ended up with for wccp in FlexConfig.

 

wccp 80 redirect-list $wccpRedirectList group-list $wccpGroupList password @wccpPassword

wccp interface egh-inside 80 redirect in
 
Just the two lines.  The "$wccpRedirectList" represents the redirect extended ACLand the "$wccpGroupList" represents the wccp server extended ACL.
Those were both entered via the drop down box as "insert-->insert policy object-->Extended ACL Object"
The "@wccpPassword" represents the secret password.  Entered via drop down box as "insert-->Insert Secret Key".  Add an object from the FlexConfig text object pre-defined as "wccpPassword" and enter the real password.
 
It should look like this from the FTD device command line.  the command line puts in the real ACL names.
wccp 80 redirect-list "Real ACL Name for Redirect" group-list "Real ACL Name for Servers" password *****
wccp interface inside 80 redirect in
 
I hope this helps someone, because I couldn't find anything online either.

 

 

Hi,

 

Yes, I had configured the WCCP redirection on FTD 2100's using FMC in both transparent and non transparent modes. Just make sure one thing in any scenario, both web users and client(proxy server) have to be behind the same interface but not necessarily in the same network. rest of the wccp configuration on FTD is similar to ASA but using flexconfig. 

Alex Garcia
Level 1
Level 1

I had the same problem. No enough documentation available online but here is what I did with a couple of 2130s.

 

I used the template and modified it with some information.

 

#set( $service = "web-cache")
#if( $isServiceIdentifier == "true")  <--Changed this object from false to true
#set( $service = "$serviceIdentifier")  <- Change this value to 90 o 91 depends of what port you need to filter 80 or 443
#end
#set ( $wccpCli = "wccp")
#set ( $wccpCli = "$wccpCli $service")
####wccpGroupList is place-holder for extended ACL.
####Replace wccpGroupList with extended ACL defined in FMC by inserting policy-object of type extended ACL.
#if( $wsas )
#set( $wccpCli = "$wccpCli group-list $wsas1")  <- This is the ACL with the WSA IP running WCCP
#end
####wccpRedirectList is place-holder for extended ACL.
####Replace wccpRedirectList with extended ACL defined in FMC by inserting policy-object of type extended ACL.
#if( $Redirect_List )
#set( $wccpCli = "$wccpCli redirect-list $Redirect_List1")  <-- This is the ACL with the redirection policies.
#end

$wccpCli

#### Assiging wccp onto interface
#foreach( $inside1 in $inside2)  <- updated this inside interface in inside zone
wccp interface inside 90 redirect in  <- This is clear text using the service ID you defined above (do not insert, just type it).
#end

Have any of you use WCCP on 6.3.0 release. We have 6.3.0 deployed with WCCP configuration but it is not working. I can see the config in the FTD when using the show commands but it is not sending any traffic to the WCCP appliance. 

Hi James, 

 

The configuration I posted few days ago is running in a FTD2130 with FXOS 2.4 and FTD 6.3.0.2.  It is working like a champ.

Hi Alex

I have 2 virtual WSAs for redundancy, both running in transparent mode. We currently have our ASAs using one as a primary and the other as a secondary(not forwarding unless the primary dies). Do you know what the template would look like to accommodate two WSA?

Current config
wccp 90 redirect-list wccp-hosts group-list proxy01 password *****
wccp 91 redirect-list wccp-hosts group-list proxy02 password *****
wccp interface INSIDE 90 redirect in
wccp interface INSIDE 91 redirect in

New config
Would I need to use two entries for the service identifier???
#set ( $service = "$90")
#set ( $service = "$91")

Would I use two lines and reference two separate ACLs???
#set( $wccpCli = "$wccpCli group-list $proxy01")
#set( $wccpCli = "$wccpCli group-list $proxy02")

Would I use two lines for each redirection, one per service identifier???
wccp interface $INSIDE $90 redirect in
wccp interface $INSIDE $91 redirect in





Review Cisco Networking for a $25 gift card