cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
579
Views
0
Helpful
3
Replies

wsa deploying

Tomasz Mowinski
Beginner
Beginner
Hi
I have to install two WSA S170 apliances (for redundancy purposes) in our network which looks like on attached scheme. I have to assure that web traffic from hosts connected to us via VPN (10.0.1.0/24), hosts in local office (200.0.0.0/24) and servers (220.0.0.0/24) will go through a
WSA. I went through few deployment guides but in every scenario a host's network was terminated directly on an ASA and a wsa was connected directly to this network.
I would like to use transparen redirection (WCCP).
Can you please advice where/how should I connect these WSAs into my network to redirect http/https traffic using wccp to WSA ?
 
 
 
 
 
 
 
 
 
 

 

1 Accepted Solution

Accepted Solutions

Luis Silva Benavides
Cisco Employee
Cisco Employee

Hi,

Remember that the ASA has the limitation that the clients and the WSA must be behind the same interface.

That VPN connection is L2L? Because if this is the case, WCCP redirection for the the VPN users must not be the best approach. Have you consider changing the proxy settings the browser? or an On-site solution for this remote site like WSA or Cloud Web Security?

 

Regards,

 

Luis Silva

 

Luis Silva

View solution in original post

3 Replies 3

Luis Silva Benavides
Cisco Employee
Cisco Employee

Hi,

Remember that the ASA has the limitation that the clients and the WSA must be behind the same interface.

That VPN connection is L2L? Because if this is the case, WCCP redirection for the the VPN users must not be the best approach. Have you consider changing the proxy settings the browser? or an On-site solution for this remote site like WSA or Cloud Web Security?

 

Regards,

 

Luis Silva

 

Luis Silva

Hi 

 I've alredy configured a WCCP redirection for all networks which are behind the same interface of an ASA and enabled proxy in remote hosts browsers (VPNs are L2L).

It works fine.

 

thank you for your answers

regards

Depending on which size/model your ASA FW for internetbreakout is, you could create a second context based firewall running on the same fysical hardware.

You could then have the diffent clients run out the same interface on FW context 2 and make WCCP redirect on FW context 1. See attached picture.

It all depends on if your ASA model support context based instances.

br,

M

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: