Re: WCCP Across ASA

abaghir · ‎06-22-2007

We have implemented WCCP between Cisco router and Bluecoat cache engine, there's a ASA placed in between so we have configured the firewall to allow ports (UDP 2048, & GRE) in order for the WCCP sessions to be established.

The WCCP sessions is being established but transparent proxy is not working, it seems that the firewall is blocking the users traffic since the router is redirecting, putting in mind that everything was working fine before we put the firewall in place, below the ACL configured on the ASA:

access-list 100 line 24 extended permit gre <Router IP> <Cache Engine IP>

access-list 100 line 25 extended permit udp <Router IP> <Cache Engine IP> eq 2048

WCCP Information on the Router:

Service Identifier: 20

Number of Cache Engines: 1

Number of routers: 1

Total Packets Redirected: 378

Redirect access-list: 190

Total Packets Denied Redirect: 1317809

Total Packets Unassigned: 1832

Please advice what could be the cause of that and if is there any additional configuration needs to be done on the firewall?

lisa.hall · ‎06-28-2007

KIndly ensure that the following things are in place,

The client and cache engine must be on the same interface of the Adaptive Security Appliance (ASA).

ASA uses Generic Routing Encapsulation (GRE) based on Web Cache Communications Protocol (WCCP) version 2.

Configure the PIX/ASA IP in the proxy to register the proxy and filter allowed caches if required.

You can use denies in the access control list (ACL) to bypass WCCP for some sites.

HTTP traffic always uses id 0 aka web-cache. Other types of traffic use predefined ID numbers

abaghir · ‎07-01-2007

The users and cache engine NOT connected on the same interface, the users & ASA connected on separate physical interfaces of the router and the cache engine is connected to the ASA, looks like below drawing,

Users

|

Router ---> ASA ---> Cache Engine

|

Internet