02-05-2013 08:28 PM
Hello all,
I need some advice / help getting WCCP working with our Cisco Ironport, ASA and 3945 router.
At the moment, I’m trying to isolate the WCCP redirect traffic to my own PC so I don’t break our existing proxy traffic.
This is our setup:
LAN: 192.168.x.x/24
C3945_L0: 203.0.158.1
C3945_G0: 203.0.156.108 (Inside)
C3945_G1: 203.0.157.29 (Outside)
S650_G0: 203.0.159.21
MY_PC_E0: 192.168.8.124
The traffic flow should be:
LAN -> C3945 -> ASA5520 -> S650
The Ironport S650 is located in our DMZ.
From my understanding, I need to create a few service profiles on our Ironport.
They are:
http (80) = 1
http_reverse (80) = 20
https (443) = 70
https_reverse (443) = 90
The router address specified on the above service profiles is the outside interface of the C3945 (203.0.157.29).
On our C3945 router is the following configuration:
ip wccp 1 redirect-list acl-proxy-redirect group-list 11
ip wccp 20 redirect-list acl-proxy-reverse group-list 11
ip wccp 70 redirect-list acl-proxy-redirect group-list 11
ip wccp 90 redirect-list acl-proxy-reverse group-list 11
access-list 11 permit 203.0.159.21
ip access-list extended acl-proxy-redirect
permit tcp host 192.168.8.124 any eq www
ip access-list extended acl-proxy-reverse
permit tcp any eq www host 192.168.8.124
interface Loopback0
ip address 203.0.158.1 255.255.255.255
interface GigabitEthernet0/0
description INSIDE Connection
ip address 203.0.156.108 255.255.255.0
ip wccp 1 redirect in
ip wccp 70 redirect in
interface GigabitEthernet0/1
description OUTSIDE DMZ Connection
ip address 203.0.157.29 255.255.255.224
ip wccp 20 redirect in
ip wccp 90 redirect in
On our Cisco ASA Firewall, I have the following ACL setup to allow traffic:
access-list inside_access_in line 72 extended permit ip host 203.0.157.29 host 203.0.159.21
access-list dmz2_public_access_in line 56 extended permit ip host 203.0.159.21 host 203.0.157.29
Does this configuration look correct? I don't seem to be having any success.
Thanks in advance,
Andrew.
02-05-2013 09:42 PM
With ASA, you would need to have your host and the ironport (wccp server) connecting to and from the same ASA interface, ie: both from the INSIDE. You can't have the LAN and the Ironport connected to 2 different ASA interfaces as they are not supported.
Here is the config guide to confirm:
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/basic_wccp.html#wp1143527
(quoted from above URL:
WCCP redirection is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client, without going through the ASA.)
Hope that answers your question on why it's not working.
02-05-2013 10:18 PM
Hi Jennifer,
Thanks for the reply.
I was under the assumption you could get around this limitation by creating a GRE tunnel from an inside router (our 3945) to the Ironport (S650) in the DMZ.
02-05-2013 10:19 PM
If you create a GRE tunnel from inside to the Ironport then your WCCP needs to be done on the router, not on the ASA.
02-05-2013 10:22 PM
That's what my configuration above indicates. The ASA only allows the traffic through from the router to the Ironport.
02-05-2013 10:30 PM
Apology, I must have been dreaming when i read your initial post. Sorry for that.
Yes, that should work as the ASA is only passing the traffic.
Where is it failing? Do you have NAT or NAT exemption configured on the ASA?
Do you get any hitcount on the ASA ACL?
02-05-2013 10:36 PM
No problem. I appreciate discussing this in more detail as I'm trying to understand it properly.
I am getting hits on one of the acl's but I've left work for the day today and can't remember which one.
I'll post some more information first thing tomorrow morning.
Thank you!
02-06-2013 03:15 PM
Ok. I have a bit more info. With the above configuration, I'm not getting any hits on either ACL on the ASA.
My WCCP on the C3945 shows the following stats:
Global WCCP information:
Router information:
Router Identifier: 203.0.158.1
Protocol Version: 2.0
Service Identifier: 1
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 49
Process: 0
CEF: 49
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: acl-proxy-redirect
Total Packets Denied Redirect: 311
Total Packets Unassigned: 0
Group Access-list: 11
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Service Identifier: 20
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: acl-proxy-reverse
Total Packets Denied Redirect: 311
Total Packets Unassigned: 0
Group Access-list: 11
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Service Identifier: 70
Number of Service Group Clients: 1
Number of Service Group Routers: 2
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: acl-proxy-redirect
Total Packets Denied Redirect: 2809
Total Packets Unassigned: 0
Group Access-list: 11
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Service Identifier: 90
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: acl-proxy-reverse
Total Packets Denied Redirect: 10776
Total Packets Unassigned: 0
Group Access-list: 11
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
WCCP version 2 enabled, 4 services
Service Clients Routers Assign Redirect Bypass
------- ------- ------- ------ -------- ------
Default routing table (Router Id: 203.0.158.1):
1 1 1 HASH GRE GRE
20 1 1 HASH GRE GRE
70 1 2 HASH GRE GRE
90 1 1 HASH GRE GRE
I checked the syslog on the ASA and get the following:
"Deny GRE reverse path check from C3945_Lp0 to S650_G0 on interface inside"
02-06-2013 05:35 PM
Pls try to disable reverse path check on the ASA inside interface as follows:
no ip verify reverse-path interface inside
02-06-2013 07:08 PM
Hi Jennifer,
Is there any security implications if I do this? Is this something that needs to be done because we are using a GRE tunnel through the ASA?
Also, the reverse path check points to the loopback address of the inside router. Is this correct? Do I need to add the routers loopback address to the ASA acl's?
Thanks,
Andrew.
02-06-2013 08:01 PM
That's correct, the wccp uses the router loopback address as its identifier.
I would add the router loopback address into the ASA acls, as well as in the routing table pointing towards the ASA inside nexthop
02-06-2013 08:23 PM
Thanks again Jennifer. I really appreciate your help.
no ip verify reverse-path interface inside
Does this command have any security implications?
02-06-2013 08:38 PM
Not really security implications.. it's more it could cause routing loop if it's not configured if you run dynamic routing protocols, but if not, it should be ok.
03-26-2013 06:53 AM
Dear Andrew,
We are trying to configure similar setup in our network. Whether you got this design working based on GRE tunnel. Please share some design docs which will be helpful for us. Thanks.
Regards,
Madhan kumar G
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide