Showing results for 
Search instead for 
Did you mean: 
Kureli Sankar
Cisco Employee
Cisco Employee



This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:


The ASA must be running minimum 7.2.1 code to be able to configure WCCP feature.


  1. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
  2. Router ID is chosen as the highest IP address configured on the ASA.  If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface.




How wccp works

  • PC makes a request to a website.
  • ASA receives the request and re-directs it to the wccp server in an encapsulated GRE packet to avoid any modifycations to the original packet.
  • WCCP receives the packet and sends the response directly to the PC.

Step by Step Configuration


1. Configure an access-list containing all members of WCCP servers.

There is only one WCCP server in this example.


ASA(config)#access-list wccp-servers permit ip host any


2. Create an access-list of the traffic that needs to be re-directed to WCCP

The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list. The access
list should only contain network addresses. Port-specific entries are not supported.

ASA(config)#access-list wccp-traffic permit ip any


3. Enable WCCP


ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic


4. Enable WCCP redirection on the inside interface

The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines


ASA(config)#wccp interface inside web-cache redirect in


5. Enabling WCCP to redirect native FTP traffic to a cache engine, using service 60

Verify with the WCCP provider regarding service IDs that they support. You can identify a service number between 0 and 254.


ASA(config)#wccp interface inside service 60 redirect in



Final Configuration Section:

access-list wccp-traffic extended permit ip any

access-list wccp-servers extended permit ip host any

wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in


Show commands and debugs:

show wccp web-cache

show wccp interface

debug wccp event

debug wccp packets





please i have a little problem on denying some ip address from been cached on my cache box. i used my cached box to block many websites on my inside network but i want to permit a few ip addresses to have access to those website by doing this on my firewall ASA.


access-list wccp-users line 2 extended deny tcp host host eq www                                                                                        .
access-list wccp-users line 3 extended deny tcp host host eq www                                                                                       
access-list wccp-users line 4 extended deny tcp host host eq www                                                                                        .
access-list wccp-users line 5 extended deny tcp host host eq www                                                                                       
access-list wccp-users line 6 extended permit tcp any eq www                                                                                       
access-list wccp-users line 7 extended permit ip any
access-list wccp-users line 8 extended permit ip any any
omsasa(config)#access-list wccp-server extended permit ip host any

my cache box ip is

after my configuration, the cached box still deny those two ip addresses - ( and from accessing those blocked websites. please i need a help on how to get this problem solved. my aim is to see that these two ip addresses is not been cached by the cache box. thanks.




Hi Team,

Could you please explain this more.

I got to know that "In redirect-list, the access list should only contain network addresses. Port-specific entries are not supported."

Which means that if you have port-specific entries in ACL than this would not work.

But I did this for my client and also seen many example for the same and it works fine.

If we do not define port-specific entries in ACL  than WCCP will unnecessarily redirect all the traffic towards WSA which is of no use.


Can someone please explain it more in details.




Hi, you are wrong. In the context of WCCP the ASA is the WCCP server and the cache engine is the WCCP client.

br Fritz


I would agree - I didn't see much documentation explaining a one-on-one replacement model for WCCP. Obviously this is beyond the scope of ASA to start with but even so...

The numbers shown above look impressive but it would be nicer to see the "source" and a link to a decent Deployment / Implementation Guide.



Hi Junaidboss,

I believe from when I worked with WCCP on the ASA before and saw that specifying ports was at least not recommended that I found out the WCCP client configuration is where the redirected ports are configured and not on the ASA itself.

I'll update if I find this is not correct.


Ramakrishnan V

       WCCP redirection will work on multiple physical interface?

              I have a firewall which has inside and 4 DMZ's interfaces(DMZ's configured as sub-interfaces). I made WCCP redirection(for ports 80 and 443)

          all my Inside networks and working fine.

           Now I would like to add WCCP redirection for my DMZ interface as well. Note my group-list(WCCP server are residing Inside segment)

           I configured already "wccp interface inside web-cache redirect in"

           So adding DMZ networks in "redirect-list" & wccp interface dmz100 web-cache redirect in, Will that work?

          Please suggest how could I add my DMZ networks in to WCCP rediretion.


this configuration is On Cisco ASA,Can you give me the sample of WCCP v2 on Cisco router?



With an ASA, the WCCP client (Cache) needs to be out the same interface that is doing the redirection. You would need a WCCP client in each DMZ. Not sure if your WCCP client can be virtualized or not, but that may be an option. I haven't worked with any that could. There may be other ways to get a single cache to appear to be behind multiple ASA interfaces like VRFs and route leaking possibly, but I haven't done that.

I had this same issue with a URL filtering / malware / virus appliance. I set it up where inside hosts were WCCP redirected for complete inspection of the traffic and RA VPN users were set up with the older url-server feature to only do URL filtering to the same client. I was using Websense which was supported with this feature.


Community Member


I am having problems to setup Cisco ASA Firewall to redirect HTTP and HTTPs traffic to my Web Cache using WCCP. My sw and hw versions are:

Cisco Adaptive Security Appliance Software Version 9.2(4)8
Device Manager Version 7.5(2)153

Compiled on Wed 24-Feb-16 21:59 PST by builders
Hardware:   ASA5585-SSP-20, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 2048MB
BIOS Flash M25P32 @ 0x0, 4096KB

My Web cache is successfully connecting the Cisco ASA as a router:

Global WCCP information:
    Router information:
        Router Identifier:         
        Protocol Version:                    2.0

    Service Identifier: 70
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp-traffic
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   wccp-servers
        Total Messages Denied to Group:      0
        Total Authentication failures:       4
        Total Bypassed Packets Received:     0

But no traffic is being redirected.

My access lists are defined like this:

access-list wccp-servers  extended permit ip host any

access-list wccp-traffic  extended deny tcp host any
access-list wccp-traffic  extended permit tcp any eq www
access-list wccp-traffic  extended permit tcp any eq https
access-list wccp-traffic  extended deny ip any any

The “Here-I-Am” and "I-See-You" protocol between Cisco ASA and the Web cache is working fine but Cisco ASA still not redirecting http and https traffic to Web Cache.

Any help to fix this configuration or monitoring the Cisco ASA to understand what is happening would be appreciated.



hi Vibhor 

does this method will redirect HTTPS traffic as well ?

because i configure but it only redirect http not https

can you please help me to configure?

i already define service identifier 70 but it does not hit any traffic but for http is works fine




WCCP can redirect HTTPS. Your redirect ACL would have to allow it and the WCCP client would need to be configured to request HTTPS redirect either in the same service as HTTP (if supported) or a separate one. The WCCP client is where you configure the ports that you want to redirect. The client (websense, IronPort...) informs the router of the ports through WCCP.

I included a screen shot of Websense being configured for both HTTP and HTTPS in the same service.

Thank you,




Is there any way to enable wccp just on specific context?


Hi Serdar,

Documentation says that WCCP is supported in single and multi-context modes. This means that you would be able to configure it on a per context basis.

Community Member

Hi everyone,

                     I have got ASA 5525-X with 9.6 and I am trying to configure WCCP for web-traffic redirection.

It is selecting DMZ address as router ID for WCCP being the highest IP. I  have default route on inside network pointing to firewall inside.

With current configuration, I am seeing increase in messages denied to the group only.  

Is there any tweak on ASA to make it accept traffic for DMZ interface IP address from inside ? on any other way to make it work. Thanks!

@Mark Baker

I have tested a lot and configured for many clients.

If we don't specify port on redirect list then it will be dropped once receive by ironport because it has been allowed to process only port 80,443.

Thats why we should specify port information on redirect list so that ASA could not send all the traffic to ironport.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links