Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1887
Views
0
Helpful
3
Replies

ASA WCCP Two inside interfaces

cmcclinton
Level 4
Level 4

‎10-18-2012 11:32 AM

I have a scenario where an ASA has two internal interfaces, corporate and guest and one outside Internet interface, with no layer 3 routing on the inside between the corporate and guest networks (VLANs). 

Transparent redirection with WCCP is to be used.

I have read many posts about how the ASA and the IronPort must be behind the same interface, and that the ASA will not redirect traffic via WCCP from one interface to another.

If the IronPort is configured with two VLANs on the P1 interface and connected to trunked switch port, and the ASA has each of it inside interfaces connected to the matching VLANs, then the IronPort is effectifely behind both firewall interfaces from a Layer 2 perspective.

The question is (and it is more of a ASA question) if both ports on the ASA are then configured with WCCP (and the IronPort has both of the ASA IP addresses configured in its WCCP)  does the ASA essentially run two instances of WCCP presenting itself as two seperate WCCP routers with the router ID being that of the internal interface on which it is configured?

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎10-18-2012 11:39 AM

I know that the ASA will run multiple instances of WCCP, I've done it on the inside interface, targeting 2 seperate WSAs, non-overlapping client IP ranges using seperate service groups.

I don't know of any reason why you can't do what you're trying...

0 Helpful

dave.hicks
Level 1
Level 1

‎03-26-2013 01:59 PM

Hi CMCClinton,

Did you get this working with WCCP on two interfaces. We are looking into something similar with our ASA and Ironport setup. I'd be interested to know how this went for you.

0 Helpful

cmcclinton
Level 4
Level 4
In response to dave.hicks

‎03-27-2013 05:05 AM

Hi Dave

In short, I didn't.

While I was able to set up two distinct layer two connections using a trunk connection and associated VLANs the routing configuration on the WSA didnt really support a granular enough configuration to in effect support two distinct routes on for each VLAN'ed interface.

In the end I opted for a simple single interface configuration.

Not sure if it was my lack of knowledge or just pushing the WSA into a configuration that it really didn't want to do

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents