Introduction
If you come across a case wherein the cu want to configure wccp in "fail close" mode, that is, if the wccp fails, the users should not be able to access anything on port 80, we can achieve it using the following. As per the WCCP configuration, the traffic will be first subjected to access-lists inbound on the interface. Then, if the WCCP server fails to service the request, the traffic will be subject to all other security checks on the ASA. Initial thoughts are that the traffic will be full-proxied by the WCCP server. Therefore, if we permit 80/443 traffic inbound on the inside interface, but allow only outbound on the outside interface from the WCCP server only, then this may serve the customer's application.
Configuration
We can try the following to achieve the same:
1.) On the inside interface, be sure to permit all traffic for port 80 and 443 to be permitted outbound.
access-list inside_access_outbound extended permit tcp any any eq 80
access-list inside_access_outbound extended permit tcp any any eq 443
access-group inside_access_outbound in interface inside
2.) Lets say that the WCCP server used in customer's environment has the ip of 10.107.1.4. We need to allow ONLY it out to the internet.
Create a one to one static as follows:
static (inside,outside) A 10.107.1.4
access-list outside_access_outbound extended permit tcp host A any eq 80
access-list outside_access_outbound extended permit tcp host A any eq 443
access-list outside_access_outbound extended deny tcp any any eq 80
access-list outside_access_outbound extended deny tcp any any eq 443
access-list outside_access_outbound extended permit ip any any
access-group outside_access_outbound out interface outside
The last line will be the catch all that will allow other applications to exit customer's network.