Dear All ,
I am deploying WAS in DMZ zone .So users request is coming from inside zone for internet browsing ..
My intention is to use the WSA as a transparent proxy for internet .Can any one tell me whether wccp protocol works in different security zone of the firewall .
if so then which ASA IOS version works in different security zone .
It would highly appreciated if you reply on this issue .
The ASA will NOT permit WCCP to be transferred through the device. You can't have WCCP on the inside interface transferred to something on any other interface...
If you are going to use an ASA for WCCP, the WSA has to be reachable via the SAME interface that the WCCP is on.
Hi Ken/Jernej ,
Thanks for you reply .Is there any option in new IOS of ASA from 9.0 onward where wccp support in different interface .
As per my current topology , All users are connected through inside zone which i am not able to change and I have placed my WAS in DMZ zone and configure static NAT for WSA .
So my intention is to forward the internet request from inside to DMZ using wccp protocol .However , I have test internet browsing using explicit WSA ip in explorer and it was working fine .But I am trying to do it transparently from inside zone .
Please advice me what would be the best practice considering my existing topology .
It would be highly appreciated if you reply .
Hi Ken ,
Thanks for your prompt reply .
Can you advice me where we should placed the WSA .
As per my understanding , We should not place any internet facing appliance in internal zone(local user zone ) and security loop hole would be considered if we do nat in inside zone for WSA .
So I have placed WSA in DMZ Zone configuring static NAT .But I am not able to use WSA as transparent proxy for inside user if we placed this appliance in DMZ Zone .
So what would be the work around for this current scenario.Can you share me any cisco article where they said wccp is not support in different interface .
you typically can place WSA in core/DMZ but it's not really mandatory. It depends on topology (transparent/explicit, single interface/separate data&management etc.) But since you're using ASA to do transparent redirection you need to have WSA data interface located in client subnet.
You can find the requirement via link I posted already, Cisco Live presentation (https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76612&tclass=popup) etc.
How can you solve the problem:
The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
More info: https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration