Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1306
Views
0
Helpful
2
Replies

Implementing WCCP

pholding1
Level 1
Level 1

‎12-30-2010 02:18 PM - edited ‎03-06-2019 02:46 PM

I need to setup a transparent proxy server on a relatively small network and I’m thinking WCCP and Squid would be a good fit. The network has a PIX firewall with three interfaces, the first interface connects to the internet router (not Cisco kit), the second interface connects to the internal network and the third interface connects to the DMZ which will contain the Squid proxy server.


Typically where is WCCP implemented in a network to intercept the traffic and re-direct to the proxy server? Ideally should the WCCP interception be performed on the PIX or on the internet router which is outside the network? I could replace the internet router with Cisco kit if this would be the best place to intercept the traffic. Unfortunately there are no Catalyst 4500 or 6500 switches on the network.

Are there any limitations on running WCCP on a PIX?

Also, are there any best practices for WCCP implementing for a transparent proxy?

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎01-01-2011 04:22 AM

Base on the topology provided, PIX would be the only device where you would implement WCC, however, PIX only supports WCCP when the traffic that needs to be transparently redirected is behind the same interface as the proxy server. Therefore, you can't place your Squid proxy in the DMZ.

Typically if you have an internal router, you would implement the WCCP on that internal router as router has more flexible WCCP feature. Definitely not to implement WCCP on your internet router as that would be outside your internal network already.

Here is configuration guide on WCCP on PIX firewall for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445

Hope that helps.

0 Helpful

ralphcarter
Level 1
Level 1
In response to Jennifer Halim

‎01-02-2011 07:53 PM

I second that. Create a security segment between the pix firewall and core device, maybe a /29 if it makes sense and make squid part of this segment.

Setup WCCP to "redirect in" on the inside facing interface for "webcache" port 80. Web traffic will be redirected to squid. Make sure the squid IP is allowed for acl/natting on PIX as its IP will be used for all port 80 traffic.

CCIE 26175
www.techsnips.com
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card