cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
0
Helpful
3
Replies

Problem with S170 not seeing traffic from users behind a different ASA interface

baskervi
Level 1
Level 1

I followed https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration more or less, with the exception of using a service ID of 90 and not the default web-cache service.

The ASA has multiple interfaces in use. The S170 is seeing traffic for all users on the same interface it's on, but it doesn't see traffic on a different interface. The S170 is on the PROD_INTERNAL interface. For the url I noted above, the following comment is made:

"WCCP redirect is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the ASA."

I take it I'm trying to configure this in a way this won't work? Is there a way I can make this work? Here is a portion of the ASA configuration. Thank  you.

 

wccp 90 redirect-list WCCP-REDIRECT-IN group-list WCCP-SERVERS
wccp interface FW_INSIDE 90 redirect in
wccp interface PROD_INTERNAL 90 redirect in
MO-FW1(config)# sh runn | in WCCP
access-list WCCP-REDIRECT-IN extended permit tcp 10.10.100.0 255.255.255.0 any eq www
access-list WCCP-REDIRECT-IN extended permit tcp 10.12.0.0 255.255.0.0 any eq www
access-list WCCP-SERVERS extended permit ip host 10.10.100.10 any
wccp 90 redirect-list WCCP-REDIRECT-IN group-list WCCP-SERVERS

 

1 Accepted Solution

Accepted Solutions

Its probably too late, but no you can't make it work the way you want with WCCP on the ASA.  The ASA won't redirect "through itself" to the WSA.

If you have users that hit 2 interfaces of an ASA, (eg users "inside", and users in a "dmz") you have to put a WSA on the inside (and it can be ANYWHERE, including across routers) and a WSA in the DMZ.

 

View solution in original post

3 Replies 3

baskervi
Level 1
Level 1

We're really stumped here and haven't made any progress. Does anyone have any ideas? Thanks

Its probably too late, but no you can't make it work the way you want with WCCP on the ASA.  The ASA won't redirect "through itself" to the WSA.

If you have users that hit 2 interfaces of an ASA, (eg users "inside", and users in a "dmz") you have to put a WSA on the inside (and it can be ANYWHERE, including across routers) and a WSA in the DMZ.

 

Thanks for the message. I got that input loud and clear. We ended up restructuring our layout to make this work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: