Solved: Hi StephaneYes, you can use

stephane.walker · ‎03-31-2014

Hello !

I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ?

If yes, how to do this ?

Thank you,

Stephane Walker

Artur Nowicki · ‎03-31-2014

Hi Stephane

The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well.

Sample configuration for Cisco router

!
access-list 110 permit tcp any any eq www
!
route-map proxy-redirect permit 10
match ip address 110
set ip next-hop xxx.xxx.xxx.xxx
!
interface ethernet0/1
ip policy route-map proxy-redirect
!

xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.

The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.

Routers other than Cisco equipment should also have an option to configure policy based routing.

/Artur

Ps. It's not possible to place the WSA in-line between clients and the internet.

View solution in original post

Artur Nowicki · ‎03-31-2014

Hi Stephane

The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well.

Sample configuration for Cisco router

!
access-list 110 permit tcp any any eq www
!
route-map proxy-redirect permit 10
match ip address 110
set ip next-hop xxx.xxx.xxx.xxx
!
interface ethernet0/1
ip policy route-map proxy-redirect
!

xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.

The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.

Routers other than Cisco equipment should also have an option to configure policy based routing.

/Artur

Ps. It's not possible to place the WSA in-line between clients and the internet.

stephane.walker · ‎04-01-2014

Thank you for your answer Artur, it helped a lot.

Stephane

stephane.walker · ‎04-01-2014

I have an additional question, is it possible to use Cisco ASA as a wccp router ?

Artur Nowicki · ‎04-01-2014

Hi Stephane

Yes, you can use Cisco ASA as WCCP redirecting device. You need to remember that WCCP redirection is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client, without going through the ASA.

Details:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116046-config-wccp-asa-00.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_wccp.html

/Artur

Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?