cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
576
Views
0
Helpful
6
Replies
Beginner

Does ASA firewall support wccp in different security zone

Dear All ,

I am  deploying WAS in DMZ zone .So users request is coming from inside zone for internet browsing ..

My intention is to use the WSA as a transparent proxy for internet .Can any one tell me whether wccp protocol works in different security zone of the firewall .

if so then which ASA IOS version works in different security zone .

It would highly appreciated if you reply on this issue .

With regards

Erfan

6 REPLIES 6
Collaborator

Erfan,

Erfan,

The ASA will NOT permit WCCP to be transferred through the device.  You can't have WCCP on the inside interface transferred to something on any other interface...

If you are going to use an ASA for WCCP, the WSA has to be reachable via the SAME interface that the WCCP is on.

Ken

 

Beginner

Hi Ken/Jernej ,

Hi Ken/Jernej ,

Thanks for you reply .Is there any option in new IOS of ASA from 9.0 onward where wccp support in different interface .

As per my current  topology , All users are connected through inside zone which i am not able to change and I have placed my WAS in DMZ zone and configure static NAT for WSA .

So my intention is to forward the internet request from inside to DMZ using wccp protocol .However , I have test internet browsing using explicit WSA ip in explorer and it was working fine .But I am trying to do it transparently from inside zone .

Please advice me what would be the best practice considering my existing topology .

It would be highly appreciated if you reply .

With regards

Erfan

 

Collaborator

No. The ASA will NOT allow

No. The ASA will NOT allow WCCP from one interface to go to another interface.  There's no way around it, and it hasn't changed. 

Beginner

Hi Ken ,

Hi Ken ,

Thanks for your prompt reply .

Can you advice me where we should placed the WSA .

As per my understanding , We should not place any internet facing appliance in internal zone(local user zone ) and security loop hole would be considered if we do nat in inside zone for WSA .

So I have placed WSA in DMZ Zone configuring static NAT .But I am not able to use WSA as transparent proxy for inside user if we placed this appliance in DMZ Zone .

So what would be the work around for this current scenario.Can you share me any cisco article where they said wccp is not support in different interface .

With regards

Erfan

Highlighted
Enthusiast

Hi Erfan,

Hi Erfan,

you typically can place WSA in core/DMZ but it's not really mandatory. It depends on topology (transparent/explicit, single interface/separate data&management etc.) But since you're using ASA to do transparent redirection you need to have WSA data interface located in client subnet.

You can find the requirement via link I posted already, Cisco Live presentation (https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76612&tclass=popup) etc.

How can you solve the problem:

  • use explicit forward proxy mode and deploy settings via DNS/DHCP/GPO/manually...
  • use L3 switch like catalyst 3k/6k for transparent redirection
Enthusiast

The only topology that the

The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.

More info: https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.