cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15217
Views
16
Helpful
7
Replies

WCCP Redirection on Firepower FTD 4110

vantom85cisco
Level 1
Level 1

Hi Folks,

 

I have one Q regarding WCCP, currently we have FTD as internet facing FW with 3 interface:

 

Inside: connected with another DC FW

Outside: to internet

DMZ : DMZ servers and WSA

 

With above design we have WSA in transparent mode and any request to internet should be redirected by FTD to WSA then to internet excluding any (80,443 as well) requests to DMZ servers .

 

how can i configure WCCP on FTD ,Or is there any other suggestion based on best practise .

 

Thanks

2 Accepted Solutions

Accepted Solutions

I made a copy of the WCCP template and used it as it was, even used the same variable names.  Use the insert button to enter your variables.  Create your ACLs before editing the flex config so they are available to assign when you insert the variable.  Here is a screenshot, again I have not tested this config yet.

 

wccp.PNG

View solution in original post

I was able to do some testing and got the WCCP redirection working, with some TAC help.  The out of the box template had to be modified for this use case. 

This was an FTD 2110 deployment, the client was not ready to use native URL filtering on the FTD, they wanted to continue to use a third party appliance via WCCP redirection.

I used two FlexConfig objects to deploy the configuration for service 0 (http) and service 70 (https).  The FlexConfig deployed this CLI configuration to the FTD.

 

wccp 0 redirect-list WS-Redirect group-list WS-Gateway
wccp 70 redirect-list WS-Redirect group-list WS-Gateway
wccp interface inside 0 redirect in
wccp interface inside 70 redirect in

 

View solution in original post

7 Replies 7

Terry Grant
Level 1
Level 1

You have to use Flex Config. FMC has a template you can copy and modify.  I just did this with 2110, but not tested yet.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/flexconfig_policies.html?bookSearch=true 

vantom85cisco
Level 1
Level 1

Actually am facing some challenges to customize it ,can you paste what you have done please and replace password or ip with x.x.x.x

I made a copy of the WCCP template and used it as it was, even used the same variable names.  Use the insert button to enter your variables.  Create your ACLs before editing the flex config so they are available to assign when you insert the variable.  Here is a screenshot, again I have not tested this config yet.

 

wccp.PNG

When you created your variables, did you have to add one for the inside interface?

No I didn't, the variable $interfacename was already in the template, just supply the appropriate name in the variables list of the template.  In this use case I used the security zone to reference the appropriate interface. 

I was able to do some testing and got the WCCP redirection working, with some TAC help.  The out of the box template had to be modified for this use case. 

This was an FTD 2110 deployment, the client was not ready to use native URL filtering on the FTD, they wanted to continue to use a third party appliance via WCCP redirection.

I used two FlexConfig objects to deploy the configuration for service 0 (http) and service 70 (https).  The FlexConfig deployed this CLI configuration to the FTD.

 

wccp 0 redirect-list WS-Redirect group-list WS-Gateway
wccp 70 redirect-list WS-Redirect group-list WS-Gateway
wccp interface inside 0 redirect in
wccp interface inside 70 redirect in

 

Can you post a pic where you set the service  = 0 please?

Review Cisco Networking for a $25 gift card