Showing results for 
Search instead for 
Did you mean: 
Kureli Sankar
Cisco Employee
Cisco Employee



This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:


The ASA must be running minimum 7.2.1 code to be able to configure WCCP feature.


  1. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
  2. Router ID is chosen as the highest IP address configured on the ASA.  If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface.




How wccp works

  • PC makes a request to a website.
  • ASA receives the request and re-directs it to the wccp server in an encapsulated GRE packet to avoid any modifycations to the original packet.
  • WCCP receives the packet and sends the response directly to the PC.

Step by Step Configuration


1. Configure an access-list containing all members of WCCP servers.

There is only one WCCP server in this example.


ASA(config)#access-list wccp-servers permit ip host any


2. Create an access-list of the traffic that needs to be re-directed to WCCP

The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list. The access
list should only contain network addresses. Port-specific entries are not supported.

ASA(config)#access-list wccp-traffic permit ip any


3. Enable WCCP


ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic


4. Enable WCCP redirection on the inside interface

The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines


ASA(config)#wccp interface inside web-cache redirect in


5. Enabling WCCP to redirect native FTP traffic to a cache engine, using service 60

Verify with the WCCP provider regarding service IDs that they support. You can identify a service number between 0 and 254.


ASA(config)#wccp interface inside service 60 redirect in



Final Configuration Section:

access-list wccp-traffic extended permit ip any

access-list wccp-servers extended permit ip host any

wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in


Show commands and debugs:

show wccp web-cache

show wccp interface

debug wccp event

debug wccp packets





You can specify the port number in the redirect ACL, but it is not required. IronPort service configuration specifies the ports that need to be redirected. If you say 80/443 in the IronPort service, the WCCP router will only redirect 80/443 even with IP (not TCP/UDP) specified in the access-list. I am doing it currently on 6807 and ASR routers. I did the same previously on an ASA, as documentation at the time recommended not configuring the port number.




Note: In redirect-list, the access list should only contain network addresses. Port-specific entries are not supported.

That is from:

I'm not sure if it is still not supported, but it was not supported at the time I configured it on an ASA. In any case, the ports are not required in the redirect ACL.



The web gui to our IronPort S170 is VERY slow.  Utilization wise we had TAC check it out and it is operating within guidelines.  They said to check if wccp was denied to our S170 to prevent looping, which would cause the slowness.  To me it looks like it is, here is all of our config.

wccp web-cache redirect-list proxylist group-list wsa-farm password *****
wccp 70 redirect-list proxylist-https group-list wsa-farm password *****
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in

access-list wsa-farm extended permit ip host any
access-list proxylist extended deny ip host any
access-list proxylist extended permit tcp object-group LANPC any eq www

access-list proxylist-https extended deny ip host any
access-list proxylist-https extended permit tcp object-group KIOSK any eq https

Does that look correct?  The IP's in object-group LANPC and KIOSK are properly wccp redirected.  I am in LANPC and when I access our WSA at, its very slow to navigate around in the browser.  I think that first statement covers the deny so going directly to it doesn't cause some sort of a wccp loop.


Good Day everyone. :-)


I would appreciate some assistance and guidance. 


I’ve created a new eduroam network at one of my sites.


I would like to add the new range to my Firewall and WCCP


So far this is what I have done:


Configured WCCP -


wccp web-cache redirect-list redirect-traffic group-list smoothwall password *****

wccp 70 redirect-list redirect-traffic group-list smoothwall password *****
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in


Access-list added - 

access-list redirect-traffic line 39 extended permit ip any


I'm getting hits on that subnet, but I wish it to go through the smoothwall and I'm not sure if it is doing that. 


Help would be much apprciated.


Thank you 








I have a 5525-x ASA on 9.8.2 and McAfee web gateway.

I need to configure wccp on the ASA to redirect the traffic to my virtual proxy.


One thing, my users are not directly behind the ASA, but they're behind the core and access switches, so their default gateway is not the ASA but my core. The inside interface of the ASA is the default gateway for my core.

Is the default gateway a requirement for the users?






Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links