cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast -VXLAN BGP EVPNt

ASA: WCCP fail close

2568
Views
0
Helpful
0
Comments

 

Introduction

If you come across a case wherein the cu want to configure wccp in "fail close" mode, that is, if the wccp fails, the users should not be able to access anything on port 80, we can achieve it using the following. As per the WCCP configuration, the traffic will be first subjected to access-lists inbound on the interface. Then, if the WCCP server fails to service the request, the traffic will be subject to all other security checks on the ASA. Initial thoughts are that the traffic will be full-proxied by the WCCP server. Therefore, if we permit 80/443 traffic inbound on the inside interface, but allow only outbound on the outside interface from the WCCP server only, then this may serve the customer's application. 

 

Configuration

We can try the following to achieve the same:

 

1.) On the inside interface, be sure to permit all traffic for port 80 and 443 to be permitted outbound.

 

access-list inside_access_outbound extended permit tcp any any eq 80

access-list inside_access_outbound extended permit tcp any any eq 443

access-group inside_access_outbound in interface inside

 

2.) Lets say that the WCCP server used in customer's environment has the ip of 10.107.1.4. We need to allow ONLY it out to the internet.

 

Create a one to one static as follows:

 

static (inside,outside) A 10.107.1.4

access-list outside_access_outbound extended permit tcp host A any eq 80

access-list outside_access_outbound extended permit tcp host A any eq 443

access-list outside_access_outbound extended deny tcp any any eq 80

access-list outside_access_outbound extended deny tcp any any eq 443

access-list outside_access_outbound extended permit ip any any

access-group outside_access_outbound out interface outside

 

The last line will be the catch all that will allow other applications to exit customer's network.