I have a problem. I'm trying to set the WCCP redirection on my ASA 5510 to an IronPort box.
The problem I face is that the traffic from the client to the server is effectively put in the GRE tunnel, the return traffic is not. As a result, I got drops on my FW:
Feb 23 08:32:33 172.30.1.20 %ASA-4-106100: access-list acl-inside permitted tcp inside/<client IP>(48965) -> outside/<server IP>(80) hit-cnt 1 first hit [0x433f2632, 0x0]
Feb 23 08:32:33 172.30.1.20 %ASA-4-106100: access-list acl-dmz denied tcp internet-dmz/<server IP>(80) -> inside/<client IP>(48965) hit-cnt 1 first hit [0x6382e83b, 0x0]
A tcpdump/capture shows that the return packet is not encapsulated.
Found my problem ...
I was trying to have the IronPort on a different interface than the client. Which doesn't work well. A bit of a shame, as I was trying to have the proxy in its own DMZ.
Anyway, works superfine now.
Unfortunately, you are correct. The ASA has the most restrictive requirements for WCCP redirection. Switches and routers are able to redirect any interfaces, regardless of where the WSA sits.
Thanks for updating your post with the solution information.
I wish Cisco will change this to include WCCP redirection as an inspect
On Thu, Feb 24, 2011 at 10:36 AM, jowolfer <