cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ASA: WCCP step by step configuration

136244
Views
11
Helpful
35
Comments

 

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1002608

Prerequisite

The ASA must be running minimum 7.2.1 code to be able to configure WCCP feature.

Limitations

  1. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
  2. Router ID is chosen as the highest IP address configured on the ASA.  If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface.

Topology

wccp-topo.png

 

How wccp works

  • PC makes a request to a website.
  • ASA receives the request and re-directs it to the wccp server in an encapsulated GRE packet to avoid any modifycations to the original packet.
  • WCCP receives the packet and sends the response directly to the PC.

Step by Step Configuration

 

1. Configure an access-list containing all members of WCCP servers.

There is only one WCCP server in this example.

 

ASA(config)#access-list wccp-servers permit ip host 192.168.6.10 any

 

2. Create an access-list of the traffic that needs to be re-directed to WCCP

The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list. The access
list should only contain network addresses. Port-specific entries are not supported.

ASA(config)#access-list wccp-traffic permit ip 192.168.6.0 255.255.255.0 any

 

3. Enable WCCP

 

ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic

 

4. Enable WCCP redirection on the inside interface

The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines

 

ASA(config)#wccp interface inside web-cache redirect in

 

5. Enabling WCCP to redirect native FTP traffic to a cache engine, using service 60

Verify with the WCCP provider regarding service IDs that they support. You can identify a service number between 0 and 254.

 

ASA(config)#wccp interface inside service 60 redirect in

 

 

Final Configuration Section:


access-list wccp-traffic extended permit ip 192.168.6.0 255.255.255.0 any

!
access-list wccp-servers extended permit ip host 192.168.6.10 any

!
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in

 

Show commands and debugs:

show wccp web-cache

show wccp interface

debug wccp event

debug wccp packets

 

 

 
 
Comments
csco12434455
Beginner

hi,

please i have a little problem on denying some ip address from been cached on my cache box. i used my cached box to block many websites on my inside network 192.168.1.0/24. but i want to permit a few ip addresses to have access to those website by doing this on my firewall ASA.

 

access-list wccp-users line 2 extended deny tcp host 192.168.1.77 host 192.168.1.18 eq www                                                                                        .
access-list wccp-users line 3 extended deny tcp host 192.168.1.18 host 192.168.1.77 eq www                                                                                       
access-list wccp-users line 4 extended deny tcp host 192.168.1.18 host 192.168.1.81 eq www                                                                                        .
access-list wccp-users line 5 extended deny tcp host 192.168.1.81 host 192.168.1.18 eq www                                                                                       
access-list wccp-users line 6 extended permit tcp 172.168.1.0 255.255.255.0 any eq www                                                                                       
access-list wccp-users line 7 extended permit ip 172.168.1.0 255.255.255.0 any
access-list wccp-users line 8 extended permit ip any any
omsasa(config)#access-list wccp-server extended permit ip host 192.168.1.18 any

my cache box ip is 192.168.1.18.

after my configuration, the cached box still deny those two ip addresses - (192.168.1.77 and 192.168.1.81) from accessing those blocked websites. please i need a help on how to get this problem solved. my aim is to see that these two ip addresses is not been cached by the cache box. thanks.

 

 

 

Hi Team,

Could you please explain this more.

I got to know that "In redirect-list, the access list should only contain network addresses. Port-specific entries are not supported."

Which means that if you have port-specific entries in ACL than this would not work.

But I did this for my client and also seen many example for the same and it works fine.

If we do not define port-specific entries in ACL  than WCCP will unnecessarily redirect all the traffic towards WSA which is of no use.

 

Can someone please explain it more in details.

 

 

kerstin-534
Beginner

Hi, you are wrong. In the context of WCCP the ASA is the WCCP server and the cache engine is the WCCP client.

br Fritz

rikherlaar
Beginner

I would agree - I didn't see much documentation explaining a one-on-one replacement model for WCCP. Obviously this is beyond the scope of ASA to start with but even so...

The numbers shown above look impressive but it would be nicer to see the "source" and a link to a decent Deployment / Implementation Guide.

 

MARK BAKER
Enthusiast

Hi Junaidboss,

I believe from when I worked with WCCP on the ASA before and saw that specifying ports was at least not recommended that I found out the WCCP client configuration is where the redirected ports are configured and not on the ASA itself.

I'll update if I find this is not correct.

Thanks,
Mark

Ramakrishnan V
Beginner

       WCCP redirection will work on multiple physical interface?

              I have a firewall which has inside and 4 DMZ's interfaces(DMZ's configured as sub-interfaces). I made WCCP redirection(for ports 80 and 443)

          all my Inside networks and working fine.

           Now I would like to add WCCP redirection for my DMZ interface as well. Note my group-list(WCCP server are residing Inside segment)

           I configured already "wccp interface inside web-cache redirect in"

           So adding DMZ networks in "redirect-list" & wccp interface dmz100 web-cache redirect in, Will that work?

          Please suggest how could I add my DMZ networks in to WCCP rediretion.

_Ratha_
Beginner

this configuration is On Cisco ASA,Can you give me the sample of WCCP v2 on Cisco router?

MARK BAKER
Enthusiast

Ramakrishnan,

With an ASA, the WCCP client (Cache) needs to be out the same interface that is doing the redirection. You would need a WCCP client in each DMZ. Not sure if your WCCP client can be virtualized or not, but that may be an option. I haven't worked with any that could. There may be other ways to get a single cache to appear to be behind multiple ASA interfaces like VRFs and route leaking possibly, but I haven't done that.

I had this same issue with a URL filtering / malware / virus appliance. I set it up where inside hosts were WCCP redirected for complete inspection of the traffic and RA VPN users were set up with the older url-server feature to only do URL filtering to the same client. I was using Websense which was supported with this feature.

Mark

marco.simoes1
Community Member

Hi,

I am having problems to setup Cisco ASA Firewall to redirect HTTP and HTTPs traffic to my Web Cache using WCCP. My sw and hw versions are:

Cisco Adaptive Security Appliance Software Version 9.2(4)8
Device Manager Version 7.5(2)153

Compiled on Wed 24-Feb-16 21:59 PST by builders
Hardware:   ASA5585-SSP-20, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 2048MB
BIOS Flash M25P32 @ 0x0, 4096KB

My Web cache is successfully connecting the Cisco ASA as a router:

Global WCCP information:
    Router information:
        Router Identifier:                   192.168.7.10
        Protocol Version:                    2.0

    Service Identifier: 70
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp-traffic
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   wccp-servers
        Total Messages Denied to Group:      0
        Total Authentication failures:       4
        Total Bypassed Packets Received:     0

But no traffic is being redirected.

My access lists are defined like this:


access-list wccp-servers  extended permit ip host 172.31.5.5 any

access-list wccp-traffic  extended deny tcp host 172.31.5.5 any
access-list wccp-traffic  extended permit tcp 172.31.5.0 255.255.255.0 any eq www
access-list wccp-traffic  extended permit tcp 172.31.5.0 255.255.255.0 any eq https
access-list wccp-traffic  extended deny ip any any

The “Here-I-Am” and "I-See-You" protocol between Cisco ASA and the Web cache is working fine but Cisco ASA still not redirecting http and https traffic to Web Cache.

Any help to fix this configuration or monitoring the Cisco ASA to understand what is happening would be appreciated.

Best,

Marco

hi Vibhor 

does this method will redirect HTTPS traffic as well ?

because i configure but it only redirect http not https

can you please help me to configure?

i already define service identifier 70 but it does not hit any traffic but for http is works fine

thanks.  

MARK BAKER
Enthusiast

Bahadur,

WCCP can redirect HTTPS. Your redirect ACL would have to allow it and the WCCP client would need to be configured to request HTTPS redirect either in the same service as HTTP (if supported) or a separate one. The WCCP client is where you configure the ports that you want to redirect. The client (websense, IronPort...) informs the router of the ports through WCCP.

I included a screen shot of Websense being configured for both HTTP and HTTPS in the same service.

Thank you,

Mark

serdar.nazli
Beginner

Hi,

Is there any way to enable wccp just on specific context?

MARK BAKER
Enthusiast

Hi Serdar,

Documentation says that WCCP is supported in single and multi-context modes. This means that you would be able to configure it on a per context basis.

Certifiedvk
Community Member

Hi everyone,

                     I have got ASA 5525-X with 9.6 and I am trying to configure WCCP for web-traffic redirection.

It is selecting DMZ address as router ID for WCCP being the highest IP. I  have default route on inside network pointing to firewall inside.

With current configuration, I am seeing increase in messages denied to the group only.  

Is there any tweak on ASA to make it accept traffic for DMZ interface IP address from inside ? on any other way to make it work. Thanks!

@Mark Baker

I have tested a lot and configured for many clients.

If we don't specify port on redirect list then it will be dropped once receive by ironport because it has been allowed to process only port 80,443.

Thats why we should specify port information on redirect list so that ASA could not send all the traffic to ironport.

Thanks

Junaid

Content for Community-Ad