Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
699
Views
0
Helpful
4
Replies

WCCP Redirect To Ironport - ASA VPN Traffic

Dave Christman
Level 1
Level 1

‎09-09-2015 05:01 AM

Hello, we have an ASA 5545X as our internet edge firewall.  On this we are doing wccp redirect for http traffic that goes to our inside interface where we have an Ironport S380. Normal internet traffic that comes into the inside interface egressing the outside works fine with this. We also use this firewall to terminate our back up vpn tunnels for our sites.  For our site to site tunnels we do full tunnels and route all traffic back.  But we are not able to get this traffic to WCCP redirect to the ironport even with the default tunneled route.  I opened a TAC case and Cisco said this is a limitation on the ASA.  I'm wondering if I move the WCCP redirect somewhere else like the core router inside if this will work then.  Anyone run into this and have an idea how to fix?

 

 

Thanks,
Dave

Labels:
0 Helpful
4 Replies 4

Ken Stieers
VIP
VIP

‎09-09-2015 05:34 AM

If your site-to-site tunnels are terminated on the ASA and all traffic isn't forced to the core router some how, moving WCCP to the core won't work either.  The traffic is WCCP'd on ingress to the inside interface, and internet bound traffic gets turned around at the outside interface.  

If you could get all traffic forced to the core router somehow, you wouldn't have to move WCCP as it would be piced u on its way through the firewall headed for the internet.

And you can't WCCP across the firewall, so putting WCCP on the outside interface to a WSA on the inside interface won't work either.

0 Helpful

Dave Christman
Level 1
Level 1
In response to Ken Stieers

‎09-09-2015 05:39 AM

Yea, I see what your saying.  I'm actually wondering if I can terminate the back up tunnels on a different firewall and route the traffic inside over to this one being that it would come to the inside now that way.  Not sure that is the best way but I believe it would work.

0 Helpful

Ken Stieers
VIP
VIP
In response to Dave Christman

‎09-09-2015 06:12 AM

The trick there would be making sure the internet bound traffic doesn't want to just head back out the port it came in on.  We use DMVPNs to do this, and it works fine... I assume the firewall can be convinced to behave similarly...

0 Helpful

Dave Christman
Level 1
Level 1
In response to Ken Stieers

‎09-09-2015 06:46 AM

Yup we are about to do a POC on DMVPN as well.  That was one of my other thoughts although it will be some time till DMVPN is implemented all sites.

0 Helpful
Customers Also Viewed These Support Documents