Applying WCCP to VPN traffic on an ASA

Group IT · ‎04-21-2017

Hello,

We have a L2L VPN with a Cisco 881 router as the spoke, and an ASA as the hub.
The ASA has WCCP running on the inside interface.
We want to have WCCP intercepting web traffic coming from the VPN. Right now, web traffic inbound from the tunnel just gets sent straight back out the outside interface - so WCCP is not aware of it.

Spoke Router
Inside IP: 10.11.101.254
Inside Range: 10.11.101.0/24
| |
V |
P WWW
N |
| |
Hub ASA
Outside IP: 123.123.123.123
Inside IP: 10.11.2.250 (WCCP)
|
|
Main core router (1801)
WCCP Appliance ----- Outside IP: 10.11.2.254
Default Gateway: 10.11.2.250
Other network gear (routers/switches/hosts) on multiple 10.11.0.0/16 subnets

I have read various forum posts saying it can't be done. But I have also read success stories claiming it can(!). I am holding out for the second case!

According to this 'solution': https://www.experts-exchange.com/questions/26476954/Redirect-VPN-traffic-on-ASA-to-inside-interface.html I need to create a static route on the ASA forcing tunneled traffic to my inside interface's IP of 10.11.2.250 (thus WCCP should intercept and redirect).

However, if I try to do this, the ASDM refuses as it knows 10.11.2.250 is one of its own interfaces.
I thought I'd be clever and instead point the static route to 10.11.2.254 (our next-hop core router). The idea being that the core router would then send it back to the ASA's inside interface (the ASA being the router's default gateway) and be subject to WCCP.

This hasn't worked either :-/

Internet access on the spoke subnet (10.11.101.0/24) still behaves as though the web traffic isn't being re-routed at all. The online ASA documentation says, "When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes is sent to this route.". So the question is, how do I 'force' tunneled traffic to be sent to the core router (10.11.2.254), as it looks like the ASA is just following the "learned or static routes" and ignoring my 'tunneled' route.

Any help or advice would be greatly appreciated!

Best Regards,

Elliot

Philip D'Ath · ‎04-21-2017

This depends on how your WCCP is being done - but can you not just do wccp redirect on the outside interface - rather than the inside interface?

Group IT · ‎04-22-2017

Hi Philip,

Thank you for your reply.

Originally, before we had an ASA, the 1801 was doing the WCCP and we did indeed have that configured using WCCP redirect OUT on the outside interface. This worked well (despite numerous official sources recommending to always use redirect IN where possible).

Anyway, when we bought the ASA, as it was newer and we wanted to consolidate all the functionality into the ASA, we moved the WCCP redirection service to that. Our first attempt to implement it was on the outside interface, as per our 1801 setup, but I'm pretty sure the ASA doesn't allow it.

So, unfortunately, unless you have experience to the contrary, or I am misunderstanding your suggestion, I'm reasonably sure redirect OUT isn't an option on the ASA.

Rahul Govindan · ‎04-22-2017

The supported way is to redirect the VPN traffic using a tunnel-default-route back into the Core router. The Core router will then send it back to the ASA. The ASA then redirects the traffic received on the inside interface back to the WCCP server sitting off the inside interface.

This is documented here in Scenario 4 of the Anyconnect solution guide:

http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-0/user_guide/AnyConnect_Secure_Mobility_SolutionGuide.pdf