Solved: WCCP Redirection on Firepower FTD 4110

vantom85cisco · ‎08-23-2018

Hi Folks,

I have one Q regarding WCCP, currently we have FTD as internet facing FW with 3 interface:

Inside: connected with another DC FW

Outside: to internet

DMZ : DMZ servers and WSA

With above design we have WSA in transparent mode and any request to internet should be redirected by FTD to WSA then to internet excluding any (80,443 as well) requests to DMZ servers .

how can i configure WCCP on FTD ,Or is there any other suggestion based on best practise .

Thanks

Terry Grant · ‎08-23-2018

I made a copy of the WCCP template and used it as it was, even used the same variable names. Use the insert button to enter your variables. Create your ACLs before editing the flex config so they are available to assign when you insert the variable. Here is a screenshot, again I have not tested this config yet.

View solution in original post

Terry Grant · ‎08-29-2018

I was able to do some testing and got the WCCP redirection working, with some TAC help. The out of the box template had to be modified for this use case.

This was an FTD 2110 deployment, the client was not ready to use native URL filtering on the FTD, they wanted to continue to use a third party appliance via WCCP redirection.

I used two FlexConfig objects to deploy the configuration for service 0 (http) and service 70 (https). The FlexConfig deployed this CLI configuration to the FTD.

wccp 0 redirect-list WS-Redirect group-list WS-Gateway
wccp 70 redirect-list WS-Redirect group-list WS-Gateway
wccp interface inside 0 redirect in
wccp interface inside 70 redirect in

View solution in original post

Terry Grant · ‎08-23-2018

You have to use Flex Config. FMC has a template you can copy and modify. I just did this with 2110, but not tested yet.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/flexconfig_policies.html?bookSearch=true

vantom85cisco · ‎08-23-2018

Actually am facing some challenges to customize it ,can you paste what you have done please and replace password or ip with x.x.x.x

Terry Grant · ‎08-23-2018

I made a copy of the WCCP template and used it as it was, even used the same variable names. Use the insert button to enter your variables. Create your ACLs before editing the flex config so they are available to assign when you insert the variable. Here is a screenshot, again I have not tested this config yet.

Scott_22 · ‎04-05-2019

When you created your variables, did you have to add one for the inside interface?

Terry Grant · ‎04-08-2019

No I didn't, the variable $interfacename was already in the template, just supply the appropriate name in the variables list of the template. In this use case I used the security zone to reference the appropriate interface.

Terry Grant · ‎08-29-2018

I was able to do some testing and got the WCCP redirection working, with some TAC help. The out of the box template had to be modified for this use case.

This was an FTD 2110 deployment, the client was not ready to use native URL filtering on the FTD, they wanted to continue to use a third party appliance via WCCP redirection.

I used two FlexConfig objects to deploy the configuration for service 0 (http) and service 70 (https). The FlexConfig deployed this CLI configuration to the FTD.

wccp 0 redirect-list WS-Redirect group-list WS-Gateway
wccp 70 redirect-list WS-Redirect group-list WS-Gateway
wccp interface inside 0 redirect in
wccp interface inside 70 redirect in

zac ragoonath · ‎08-15-2023

Can you post a pic where you set the service = 0 please?