Hello Everyone .
I am implementing cisco WSA with one of my customer.
Customer has Palo Alto as firewall and catalyst 9400 as LAN core.
The FW has PBR configured based on source address and pointing to different routers.
Also integrating WSA with third party FW will have lots of configuration, so i suggested customer to integrate LAN core which is Cisco device.
So all the three devices (Lan core, WSA and PA FW) will belong to same subnet 192.168.110.0/24
when traffic exits from LAN core, it would should be redirected to WSA, and WSA has a default route pointing towards FW.
since FW has PBR configured for source address towards destination, i have enabled IP spoofing feature in WSA so that source address is not changed.
then traffic flows from FW to outside and return traffic from outside back to FW.
In FW, we have static route configured for LAN subnet in FW pointed to LAN core interface. 192.168.110.250.
once traffic hits the LAN core, in order to avoid asymetric routing, i have again redirectred the traffic back to WSA using another redirect policy.
so basically i have used two redirection in LAN core, one for out going traffic (REDIR_OUT) and another for incoming traffic (REDIR_IN).
i have configured a static route in WSA for the LAN subnet pointing toward LAN core interface after redirection .
here is my configuration in LAN core.
ip access-list standard WSA
permit 192.168.110.101
permit 192.168.110.100
permit 192.168.110.102
ip access-list extended REDIR_OUT
permit tcp host 10.10.1.165 any eq www
permit tcp host 10.10.1.165 any eq 443
deny ip any host 10.10.1.165
ip access-list extended REDIR_IN
permit tcp any eq www host 10.10.1.165
permit tcp any eq 443 host 10.10.1.165
deny ip host 10.10.1.165 any
ip wccp vrf INT 90 redirect-list REDIR_OUT group-list WSA password 7 02050D480809
ip wccp vrf INT 91 redirect-list REDIR_IN group-list WSA password 7 104D000A0618
interface Vlan100
description "INTERNET"
ip vrf forwarding INT
ip address 192.168.110.250 255.255.255.0
ip wccp vrf INT 90 redirect out
ip wccp vrf INT 91 redirect in
i see the redirection is not happening and i dont see any traffic hits in WSA.
Lan-Core#sho ip wccp vrf INT
VRF INT WCCP information:
Router information:
Router Identifier: 192.168.110.250
Configured source-interface: Vlan100
Service Identifier: 90
Protocol Version: 2.01
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 0
Process: 0
CEF: 0
Platform: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: REDIR_OUT
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: WSA
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Platform: 0
GRE tunnel interface: Tunnel2
Service Identifier: 91
Protocol Version: 2.01
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 0
Process: 0
CEF: 0
Platform: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: REDIR_IN
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: WSA
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Platform: 0
Lan-Core#sho ip wccp vrf INT 90 view
WCCP Routers Informed of:
192.168.110.250
WCCP Clients Visible:
192.168.110.101
WCCP Clients NOT Visible:
-none-
HQ-NT3-Core#sho ip wccp vrf INT 91 view
WCCP Routers Informed of:
192.168.110.250
WCCP Clients Visible:
192.168.110.101
WCCP Clients NOT Visible:
-none-
Device model:
Lan core : catalyst 9400
WSA: s690
FW : Palo Alto
i am attaching the topology diagram for your reference.
Need experts support why redirection is not happening in WSA, Am i missing any configuration or is there any other way to configure this setup;
