Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
0
Helpful
6
Replies

Does ASA firewall support wccp in different security zone

eahmed007
Level 1
Level 1

‎12-18-2016 08:46 AM

Dear All ,

I am  deploying WAS in DMZ zone .So users request is coming from inside zone for internet browsing ..

My intention is to use the WSA as a transparent proxy for internet .Can any one tell me whether wccp protocol works in different security zone of the firewall .

if so then which ASA IOS version works in different security zone .

It would highly appreciated if you reply on this issue .

With regards

Erfan

Labels:
0 Helpful
6 Replies 6

Ken Stieers
VIP
VIP

‎12-18-2016 09:33 AM

Erfan,

The ASA will NOT permit WCCP to be transferred through the device.  You can't have WCCP on the inside interface transferred to something on any other interface...

If you are going to use an ASA for WCCP, the WSA has to be reachable via the SAME interface that the WCCP is on.

Ken

 

0 Helpful

eahmed007
Level 1
Level 1
In response to Ken Stieers

‎12-19-2016 09:26 AM

Hi Ken/Jernej ,

Thanks for you reply .Is there any option in new IOS of ASA from 9.0 onward where wccp support in different interface .

As per my current  topology , All users are connected through inside zone which i am not able to change and I have placed my WAS in DMZ zone and configure static NAT for WSA .

So my intention is to forward the internet request from inside to DMZ using wccp protocol .However , I have test internet browsing using explicit WSA ip in explorer and it was working fine .But I am trying to do it transparently from inside zone .

Please advice me what would be the best practice considering my existing topology .

It would be highly appreciated if you reply .

With regards

Erfan

 

0 Helpful

Ken Stieers
VIP
VIP
In response to eahmed007

‎12-19-2016 09:29 AM

No. The ASA will NOT allow WCCP from one interface to go to another interface.  There's no way around it, and it hasn't changed. 

0 Helpful

eahmed007
Level 1
Level 1
In response to Ken Stieers

‎12-19-2016 09:41 AM

Hi Ken ,

Thanks for your prompt reply .

Can you advice me where we should placed the WSA .

As per my understanding , We should not place any internet facing appliance in internal zone(local user zone ) and security loop hole would be considered if we do nat in inside zone for WSA .

So I have placed WSA in DMZ Zone configuring static NAT .But I am not able to use WSA as transparent proxy for inside user if we placed this appliance in DMZ Zone .

So what would be the work around for this current scenario.Can you share me any cisco article where they said wccp is not support in different interface .

With regards

Erfan

0 Helpful

Jernej Vodopivec
Level 4
Level 4
In response to eahmed007

‎12-19-2016 10:41 AM

Hi Erfan,

you typically can place WSA in core/DMZ but it's not really mandatory. It depends on topology (transparent/explicit, single interface/separate data&management etc.) But since you're using ASA to do transparent redirection you need to have WSA data interface located in client subnet.

You can find the requirement via link I posted already, Cisco Live presentation (https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76612&tclass=popup) etc.

How can you solve the problem:

  • use explicit forward proxy mode and deploy settings via DNS/DHCP/GPO/manually...
  • use L3 switch like catalyst 3k/6k for transparent redirection
0 Helpful

Jernej Vodopivec
Level 4
Level 4

‎12-18-2016 09:36 AM

The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.

More info: https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents