Ironport DMZ, WCCP, ASA and 3945 configuration help.

amorine123 · ‎02-05-2013

Hello all,

I need some advice / help getting WCCP working with our Cisco Ironport, ASA and 3945 router.

At the moment, I’m trying to isolate the WCCP redirect traffic to my own PC so I don’t break our existing proxy traffic.

This is our setup:

LAN: 192.168.x.x/24

C3945_L0: 203.0.158.1

C3945_G0: 203.0.156.108 (Inside)

C3945_G1: 203.0.157.29 (Outside)

S650_G0: 203.0.159.21

MY_PC_E0: 192.168.8.124

The traffic flow should be:

LAN -> C3945 -> ASA5520 -> S650

The Ironport S650 is located in our DMZ.

From my understanding, I need to create a few service profiles on our Ironport.

They are:

http (80) = 1

http_reverse (80) = 20

https (443) = 70

https_reverse (443) = 90

The router address specified on the above service profiles is the outside interface of the C3945 (203.0.157.29).

On our C3945 router is the following configuration:

ip wccp 1 redirect-list acl-proxy-redirect group-list 11

ip wccp 20 redirect-list acl-proxy-reverse group-list 11

ip wccp 70 redirect-list acl-proxy-redirect group-list 11

ip wccp 90 redirect-list acl-proxy-reverse group-list 11

access-list 11 permit 203.0.159.21

ip access-list extended acl-proxy-redirect

permit tcp host 192.168.8.124 any eq www

ip access-list extended acl-proxy-reverse

permit tcp any eq www host 192.168.8.124

interface Loopback0

ip address 203.0.158.1 255.255.255.255

interface GigabitEthernet0/0

description INSIDE Connection

ip address 203.0.156.108 255.255.255.0

ip wccp 1 redirect in

ip wccp 70 redirect in

interface GigabitEthernet0/1

description OUTSIDE DMZ Connection

ip address 203.0.157.29 255.255.255.224

ip wccp 20 redirect in

ip wccp 90 redirect in

On our Cisco ASA Firewall, I have the following ACL setup to allow traffic:

access-list inside_access_in line 72 extended permit ip host 203.0.157.29 host 203.0.159.21

access-list dmz2_public_access_in line 56 extended permit ip host 203.0.159.21 host 203.0.157.29

Does this configuration look correct? I don't seem to be having any success.

Thanks in advance,

Andrew.

Jennifer Halim · ‎02-05-2013

With ASA, you would need to have your host and the ironport (wccp server) connecting to and from the same ASA interface, ie: both from the INSIDE. You can't have the LAN and the Ironport connected to 2 different ASA interfaces as they are not supported.

Here is the config guide to confirm:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/basic_wccp.html#wp1143527

(quoted from above URL:

WCCP redirection is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client, without going through the ASA.)

Hope that answers your question on why it's not working.

amorine123 · ‎02-05-2013

Hi Jennifer,

Thanks for the reply.

I was under the assumption you could get around this limitation by creating a GRE tunnel from an inside router (our 3945) to the Ironport (S650) in the DMZ.

Jennifer Halim · ‎02-05-2013

If you create a GRE tunnel from inside to the Ironport then your WCCP needs to be done on the router, not on the ASA.

amorine123 · ‎02-05-2013

That's what my configuration above indicates. The ASA only allows the traffic through from the router to the Ironport.

Jennifer Halim · ‎02-05-2013

Apology, I must have been dreaming when i read your initial post. Sorry for that.

Yes, that should work as the ASA is only passing the traffic.

Where is it failing? Do you have NAT or NAT exemption configured on the ASA?

Do you get any hitcount on the ASA ACL?

amorine123 · ‎02-05-2013

No problem. I appreciate discussing this in more detail as I'm trying to understand it properly.

I am getting hits on one of the acl's but I've left work for the day today and can't remember which one.

I'll post some more information first thing tomorrow morning.

Thank you!

amorine123 · ‎02-06-2013

Ok. I have a bit more info. With the above configuration, I'm not getting any hits on either ACL on the ASA.

My WCCP on the C3945 shows the following stats:

Global WCCP information:

Router information:

Router Identifier: 203.0.158.1

Protocol Version: 2.0

Service Identifier: 1

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets s/w Redirected: 49

Process: 0

CEF: 49

Service mode: Open

Service Access-list: -none-

Total Packets Dropped Closed: 0

Redirect Access-list: acl-proxy-redirect

Total Packets Denied Redirect: 311

Total Packets Unassigned: 0

Group Access-list: 11

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total GRE Bypassed Packets Received: 0

Service Identifier: 20

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets s/w Redirected: 0

Process: 0

CEF: 0

Service mode: Open

Service Access-list: -none-

Total Packets Dropped Closed: 0

Redirect Access-list: acl-proxy-reverse

Total Packets Denied Redirect: 311

Total Packets Unassigned: 0

Group Access-list: 11

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total GRE Bypassed Packets Received: 0

Service Identifier: 70

Number of Service Group Clients: 1

Number of Service Group Routers: 2

Total Packets s/w Redirected: 0

Process: 0

CEF: 0

Service mode: Open

Service Access-list: -none-

Total Packets Dropped Closed: 0

Redirect Access-list: acl-proxy-redirect

Total Packets Denied Redirect: 2809

Total Packets Unassigned: 0

Group Access-list: 11

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total GRE Bypassed Packets Received: 0

Service Identifier: 90

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets s/w Redirected: 0

Process: 0

CEF: 0

Service mode: Open

Service Access-list: -none-

Total Packets Dropped Closed: 0

Redirect Access-list: acl-proxy-reverse

Total Packets Denied Redirect: 10776

Total Packets Unassigned: 0

Group Access-list: 11

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total GRE Bypassed Packets Received: 0

WCCP version 2 enabled, 4 services

Service Clients Routers Assign Redirect Bypass

------- ------- ------- ------ -------- ------

Default routing table (Router Id: 203.0.158.1):

1 1 1 HASH GRE GRE

20 1 1 HASH GRE GRE

70 1 2 HASH GRE GRE

90 1 1 HASH GRE GRE

I checked the syslog on the ASA and get the following:

"Deny GRE reverse path check from C3945_Lp0 to S650_G0 on interface inside"

Jennifer Halim · ‎02-06-2013

Pls try to disable reverse path check on the ASA inside interface as follows:

no ip verify reverse-path interface inside

amorine123 · ‎02-06-2013

Hi Jennifer,

Is there any security implications if I do this? Is this something that needs to be done because we are using a GRE tunnel through the ASA?

Also, the reverse path check points to the loopback address of the inside router. Is this correct? Do I need to add the routers loopback address to the ASA acl's?

Thanks,

Andrew.

Jennifer Halim · ‎02-06-2013

That's correct, the wccp uses the router loopback address as its identifier.

I would add the router loopback address into the ASA acls, as well as in the routing table pointing towards the ASA inside nexthop

amorine123 · ‎02-06-2013

Thanks again Jennifer. I really appreciate your help.

no ip verify reverse-path interface inside

Does this command have any security implications?

Jennifer Halim · ‎02-06-2013

Not really security implications.. it's more it could cause routing loop if it's not configured if you run dynamic routing protocols, but if not, it should be ok.

madhankumar.g · ‎03-26-2013

Dear Andrew,

We are trying to configure similar setup in our network. Whether you got this design working based on GRE tunnel. Please share some design docs which will be helpful for us. Thanks.

Regards,

Madhan kumar G