- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2015 01:35 PM
I am trying to resolve an issue I am seeing with a new installation of a WSA (8.5) and an ASA (9.5.1) running FireSIGHT (5.4.1.4). The WSA, ASA, and FireSIGHT are all operating correctly, but in reviewing the Malware File Trajectory, the only internal device displayed is the WSA. The trajectory, I'm assuming, can't be traced back to the end-host since the WCCP must take place prior to the redirection to FireSIGHT. All HTTP and HTTPS traffic then appear to be coming from the WSA. I'm hoping IP spoofing on the WSA will provide the correct end-host IP in the trajectory.
If anyone could share the configuration on the ASA using the two WCCP configurations required for IP spoofing on the WSA, I would appreciate it. All the configurations I have found online relate to using an IOS router.
Or is this not possible? The ASA seems to only support ingress WCCP.
Solved! Go to Solution.
- Labels:
-
Web Security
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2015 06:51 AM
You are correct ASA does not support IP Spoofing for WCCP. If you can read XFF headers then WSA can insert the client IP into the XFF header.
http://www.cisco.com/c/en/us/td/docs/security/asa/special/wccp/guide/asa-wccp.html
Unsupported Features
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2015 06:51 AM
You are correct ASA does not support IP Spoofing for WCCP. If you can read XFF headers then WSA can insert the client IP into the XFF header.
http://www.cisco.com/c/en/us/td/docs/security/asa/special/wccp/guide/asa-wccp.html
Unsupported Features
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2015 08:10 AM
Tommy,
Thank you! That was the documentation I was looking for. Cisco should consider adding that little tidbit to the WSA User Guide ;)
