cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA: WCCP step by step configuration

131797
Views
11
Helpful
35
Comments

 

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1002608

Prerequisite

The ASA must be running minimum 7.2.1 code to be able to configure WCCP feature.

Limitations

  1. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
  2. Router ID is chosen as the highest IP address configured on the ASA.  If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface.

Topology

wccp-topo.png

 

How wccp works

  • PC makes a request to a website.
  • ASA receives the request and re-directs it to the wccp server in an encapsulated GRE packet to avoid any modifycations to the original packet.
  • WCCP receives the packet and sends the response directly to the PC.

Step by Step Configuration

 

1. Configure an access-list containing all members of WCCP servers.

There is only one WCCP server in this example.

 

ASA(config)#access-list wccp-servers permit ip host 192.168.6.10 any

 

2. Create an access-list of the traffic that needs to be re-directed to WCCP

The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list. The access
list should only contain network addresses. Port-specific entries are not supported.

ASA(config)#access-list wccp-traffic permit ip 192.168.6.0 255.255.255.0 any

 

3. Enable WCCP

 

ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic

 

4. Enable WCCP redirection on the inside interface

The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines

 

ASA(config)#wccp interface inside web-cache redirect in

 

5. Enabling WCCP to redirect native FTP traffic to a cache engine, using service 60

Verify with the WCCP provider regarding service IDs that they support. You can identify a service number between 0 and 254.

 

ASA(config)#wccp interface inside service 60 redirect in

 

 

Final Configuration Section:


access-list wccp-traffic extended permit ip 192.168.6.0 255.255.255.0 any

!
access-list wccp-servers extended permit ip host 192.168.6.10 any

!
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in

 

Show commands and debugs:

show wccp web-cache

show wccp interface

debug wccp event

debug wccp packets

 

 

 
 
Comments
Enthusiast

@Mohd,

You can specify the port number in the redirect ACL, but it is not required. IronPort service configuration specifies the ports that need to be redirected. If you say 80/443 in the IronPort service, the WCCP router will only redirect 80/443 even with IP (not TCP/UDP) specified in the access-list. I am doing it currently on 6807 and ASR routers. I did the same previously on an ASA, as documentation at the time recommended not configuring the port number.

Thanks,
Mark

Enthusiast

Mohd,

Note: In redirect-list, the access list should only contain network addresses. Port-specific entries are not supported.

That is from:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116046-config-wccp-asa-00.html#anc6

I'm not sure if it is still not supported, but it was not supported at the time I configured it on an ASA. In any case, the ports are not required in the redirect ACL.

Thanks,
Mark

Contributor

The web gui to our IronPort S170 is VERY slow.  Utilization wise we had TAC check it out and it is operating within guidelines.  They said to check if wccp was denied to our S170 to prevent looping, which would cause the slowness.  To me it looks like it is, here is all of our config.

wccp web-cache redirect-list proxylist group-list wsa-farm password *****
wccp 70 redirect-list proxylist-https group-list wsa-farm password *****
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in

access-list wsa-farm extended permit ip host 10.1.0.4 any
access-list proxylist extended deny ip host 10.1.0.4 any
access-list proxylist extended permit tcp object-group LANPC any eq www

access-list proxylist-https extended deny ip host 10.1.0.4 any
access-list proxylist-https extended permit tcp object-group KIOSK any eq https

Does that look correct?  The IP's in object-group LANPC and KIOSK are properly wccp redirected.  I am in LANPC and when I access our WSA at 10.1.0.4, its very slow to navigate around in the browser.  I think that first statement covers the deny so going directly to it doesn't cause some sort of a wccp loop.

Beginner

Good Day everyone. :-)

 

I would appreciate some assistance and guidance. 

 

I’ve created a new eduroam network at one of my sites.

 

I would like to add the new range to my Firewall and WCCP

 

So far this is what I have done:

 

Configured WCCP -

 

wccp web-cache redirect-list redirect-traffic group-list smoothwall password *****

wccp 70 redirect-list redirect-traffic group-list smoothwall password *****
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in

 

Access-list added - 

access-list redirect-traffic line 39 extended permit ip 10.204.0.0 255.255.240.0 any

 

I'm getting hits on that subnet, but I wish it to go through the smoothwall and I'm not sure if it is doing that. 

 

Help would be much apprciated.

 

Thank you 

 

 

 

 

 

 

Beginner

I have a 5525-x ASA on 9.8.2 and McAfee web gateway.

I need to configure wccp on the ASA to redirect the traffic to my virtual proxy.

 

One thing, my users are not directly behind the ASA, but they're behind the core and access switches, so their default gateway is not the ASA but my core. The inside interface of the ASA is the default gateway for my core.

Is the default gateway a requirement for the users?

 

Thanks,

 

L