Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
0
Helpful
3
Replies

Issue with WCCP redirection on ASA and IronPort - Help

jfgobin01
Level 1
Level 1

‎02-23-2011 05:43 AM

Hello Experts,

I have a problem. I'm trying to set the WCCP redirection on my ASA 5510 to an IronPort box.


The problem I face is that the traffic from the client to the server is effectively put in the GRE tunnel, the return traffic is not. As a result, I got drops on my FW:

Feb 23 08:32:33 172.30.1.20 %ASA-4-106100: access-list acl-inside permitted tcp inside/<client IP>(48965) -> outside/<server IP>(80) hit-cnt 1 first hit [0x433f2632, 0x0]
Feb 23 08:32:33 172.30.1.20 %ASA-4-106100: access-list acl-dmz denied tcp internet-dmz/<server IP>(80) -> inside/<client IP>(48965) hit-cnt 1 first hit [0x6382e83b, 0x0]

A tcpdump/capture shows that the return packet is not encapsulated.

Any pointer?

J.

Labels:
0 Helpful
3 Replies 3

jfgobin01
Level 1
Level 1

‎02-23-2011 07:22 AM

Found my problem ...

I was trying to have the IronPort on a different interface than the client. Which doesn't work well. A bit of a shame, as I was trying to have the proxy in its own DMZ.

Anyway, works superfine now.

J.

0 Helpful

jowolfer
Level 1
Level 1
In response to jfgobin01

‎02-24-2011 07:36 AM

J,

Unfortunately, you are correct. The ASA has the most restrictive requirements for WCCP redirection. Switches and routers are able to redirect any interfaces, regardless of where the WSA sits.

Thanks for updating your post with the solution information.

Cheers,

0 Helpful

jfgobin01
Level 1
Level 1
In response to jowolfer

‎03-02-2011 02:12 PM

Hello,

I wish Cisco will change this to include WCCP redirection as an inspect

action ...

J.

On Thu, Feb 24, 2011 at 10:36 AM, jowolfer <

0 Helpful
Customers Also Viewed These Support Documents