cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
436
Views
0
Helpful
3
Replies
Highlighted
Beginner

Issue with WCCP redirection on ASA and IronPort - Help

Hello Experts,

I have a problem. I'm trying to set the WCCP redirection on my ASA 5510 to an IronPort box.


The problem I face is that the traffic from the client to the server is effectively put in the GRE tunnel, the return traffic is not. As a result, I got drops on my FW:

Feb 23 08:32:33 172.30.1.20 %ASA-4-106100: access-list acl-inside permitted tcp inside/<client IP>(48965) -> outside/<server IP>(80) hit-cnt 1 first hit [0x433f2632, 0x0]
Feb 23 08:32:33 172.30.1.20 %ASA-4-106100: access-list acl-dmz denied tcp internet-dmz/<server IP>(80) -> inside/<client IP>(48965) hit-cnt 1 first hit [0x6382e83b, 0x0]

A tcpdump/capture shows that the return packet is not encapsulated.

Any pointer?

J.

3 REPLIES 3
Highlighted
Beginner

Re: Issue with WCCP redirection on ASA and IronPort - Help

Found my problem ...

I was trying to have the IronPort on a different interface than the client. Which doesn't work well. A bit of a shame, as I was trying to have the proxy in its own DMZ.

Anyway, works superfine now.

J.

Highlighted
Beginner

Re: Issue with WCCP redirection on ASA and IronPort - Help

J,

Unfortunately, you are correct. The ASA has the most restrictive requirements for WCCP redirection. Switches and routers are able to redirect any interfaces, regardless of where the WSA sits.

Thanks for updating your post with the solution information.

Cheers,

Highlighted
Beginner

Re: Issue with WCCP redirection on ASA and IronPort - Help

Hello,

I wish Cisco will change this to include WCCP redirection as an inspect

action ...

J.

On Thu, Feb 24, 2011 at 10:36 AM, jowolfer <