If you come across a case wherein the cu want to configure wccp in "fail close" mode, that is, if the wccp fails, the users should not be able to access anything on port 80, we can achieve it using the following. As per the WCCP configuration, the traffic will be first subjected to access-lists inbound on the interface. Then, if the WCCP server fails to service the request, the traffic will be subject to all other security checks on the ASA. Initial thoughts are that the traffic will be full-proxied by the WCCP server. Therefore, if we permit 80/443 traffic inbound on the inside interface, but allow only outbound on the outside interface from the WCCP server only, then this may serve the customer's application.
We can try the following to achieve the same:
1.) On the inside interface, be sure to permit all traffic for port 80 and 443 to be permitted outbound.
access-list inside_access_outbound extended permit tcp any any eq 80
access-list inside_access_outbound extended permit tcp any any eq 443
access-group inside_access_outbound in interface inside
2.) Lets say that the WCCP server used in customer's environment has the ip of 10.107.1.4. We need to allow ONLY it out to the internet.
Create a one to one static as follows:
static (inside,outside) A 10.107.1.4
access-list outside_access_outbound extended permit tcp host A any eq 80
access-list outside_access_outbound extended permit tcp host A any eq 443
access-list outside_access_outbound extended deny tcp any any eq 80
access-list outside_access_outbound extended deny tcp any any eq 443
access-list outside_access_outbound extended permit ip any any
access-group outside_access_outbound out interface outside
The last line will be the catch all that will allow other applications to exit customer's network.
Hi all just needing some assistance if possible I’ve 3 asa 5505 conning via site to site vpn device A is connected to device B via IPSec vpn device C is connected to device B via IPSec vpn both network &nbs...
Hi, im having problems with a site-to-site between an azure web server and my cisco 2900, wich randomly disconnects with the following debug message : Sep 22 19:16:32.831: IPSEC:(SESSION ID = 99405) still in use sa: 0x2471925CSep 22 19:16:32.83...
Hello,I'm testing API access on 2 ASAs. One 9.12 and one 9.16. Both with API 7.16.1. Interacting with 9.12 ASA works as expected. When requesting a token from 9.16 I get a 401 Unauthorized. Trying to access the documentation at https://asa-ip/doc/ re...
We're currently making our network more resilient. Our current setup is Single ASA with Single ISP. Our plan ahead and currently testing is utilizing 2 ASA configure FPR2000 series firewalls with port channel redundancy connected to a stacked C9200's.&nbs...