Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
150088
Views
11
Helpful
35
Comments

ASA: WCCP step by step configuration

Kureli Sankar
Cisco Employee
Cisco Employee

‎08-15-2010 03:23 PM - edited ‎03-08-2019 06:35 PM

 

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1002608

Prerequisite

The ASA must be running minimum 7.2.1 code to be able to configure WCCP feature.

Limitations

  1. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
  2. Router ID is chosen as the highest IP address configured on the ASA.  If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface.

Topology

wccp-topo.png

 

How wccp works

  • PC makes a request to a website.
  • ASA receives the request and re-directs it to the wccp server in an encapsulated GRE packet to avoid any modifycations to the original packet.
  • WCCP receives the packet and sends the response directly to the PC.

Step by Step Configuration

 

1. Configure an access-list containing all members of WCCP servers.

There is only one WCCP server in this example.

 

ASA(config)#access-list wccp-servers permit ip host 192.168.6.10 any

 

2. Create an access-list of the traffic that needs to be re-directed to WCCP

The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list. The access
list should only contain network addresses. Port-specific entries are not supported.

ASA(config)#access-list wccp-traffic permit ip 192.168.6.0 255.255.255.0 any

 

3. Enable WCCP

 

ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic

 

4. Enable WCCP redirection on the inside interface

The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines

 

ASA(config)#wccp interface inside web-cache redirect in

 

5. Enabling WCCP to redirect native FTP traffic to a cache engine, using service 60

Verify with the WCCP provider regarding service IDs that they support. You can identify a service number between 0 and 254.

 

ASA(config)#wccp interface inside service 60 redirect in

 

 

Final Configuration Section:


access-list wccp-traffic extended permit ip 192.168.6.0 255.255.255.0 any

!
access-list wccp-servers extended permit ip host 192.168.6.10 any

!
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in

 

Show commands and debugs:

show wccp web-cache

show wccp interface

debug wccp event

debug wccp packets

 

 

 
 
Labels:
Comments
sjanke
Level 1
Level 1
‎01-09-2013 09:50 AM

i suspect to exclude a host from being redirected by wccp you would add a "deny" ace to the acl wccp-servers?

Jouni Forss
VIP Alumni
VIP Alumni
‎01-09-2013 09:54 AM

Hi,

Yes, you should add source or destination networks as "deny" ACL rules on the "wccp-traffic" ACL

Be fure to add them on the top of the ACL so they apply to the traffic before the "permit ip any any" type rules.

- Jouni

sjanke
Level 1
Level 1
‎01-09-2013 10:43 AM

you are the best, thans for the reply.

mulalo.ramutsindela
Community Member
‎02-23-2013 01:36 AM

Hi

JouniForss

Please can you put your rules for this here?

Thanks

atunin
Cisco Employee
Cisco Employee
‎04-11-2013 07:01 AM

Hi!

Can asa support two wccp groups in same direction on the same interface ?

lalainaconnectic
Level 1
Level 1
‎10-17-2013 02:07 AM

Hi;

I test wccp in my ASA and when i do the show :

ASA-INTERNET-DRC# sh wccp web-cache

Global WCCP information:

    Router information:

        Router Identifier:                   192.168.1.1

        Protocol Version:                    2.0

    Service Identifier: web-cache

        Number of Cache Engines:             1

        Number of routers:                   1

        Total Packets Redirected:            149

        Redirect access-list:                wccp-traffic

        Total Connections Denied Redirect:   0

        Total Packets Unassigned:            0

        Group access-list:                   wccp-servers

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total Bypassed Packets Received:     149

Why the Total Bypassed Packets Received and  Total Packets Redirected have the same value.

Thank.

Lalaina

Shariq Riazi
Level 1
Level 1
‎01-19-2014 10:41 PM

I have two wccp servers but at a time only one works and other dont. Do i have to do special configuration on the firewall. Does it support multiple servers in the same WCCP group.

tabdulla
Level 1
Level 1
‎04-27-2014 03:57 AM

WCCP redirect is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_wccp.html#wp1002608

 

 

 

 

Shiva Prasad
Level 1
Level 1
‎06-30-2014 07:48 AM

How do i configure the asa so that all tcp and all udp traffic is redirected to the wccp server ? instead of just web-cache

Cheers,

Shiva

 

nanijjar
Level 1
Level 1
‎08-13-2014 04:03 PM

Hi,

 

I have two WSA s680s and wondering if ASA can use both for HA or load balance between the two WSAs.

 

Thanks,

Nav

csco12434455
Level 1
Level 1
‎10-21-2014 04:00 AM

Hi, thanks for the information, but i think my own topology is different. i have the ASA firewall which is connected to the outside interface and a cisco router connected to my inside interface of my ASA with this subnet 192.168.5.0/30 and my inside network from the router is 192.168.1.0/24. also th Cache engine is in the same subnet with my inside network. so after configuring WCCP on the ASA, this is what i got and it can't redirect to the Cache Engine. please i need someone to help me. Do i need to do any configuration on the router or further configuration on the ASA before it will redirect http and https?

 

omsasa(config)# sh wccp 90

Global WCCP information:
    Router information:
        Router Identifier:                   217.14.85.227
        Protocol Version:                    2.0

    Service Identifier: 90
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp-users
        Total Connections Denied Redirect:   52208
        Total Packets Unassigned:            0
        Group access-list:                   wccp-server
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

omsasa(config)# sh wccp 70

Global WCCP information:
    Router information:
        Router Identifier:                   217.14.85.227
        Protocol Version:                    2.0

    Service Identifier: 70
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp-able
        Total Connections Denied Redirect:   27836
        Total Packets Unassigned:            0
        Group access-list:                   wccp-server
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

This is my wccp configuration on my ASA

omsasa(config)# sh run wccp
wccp 70 redirect-list wccp-able group-list wccp-server
wccp 90 redirect-list wccp-users group-list wccp-server
wccp interface inside 70 redirect in
wccp interface inside 90 redirect in

omsasa(config)# sh run access-list wccp-users
access-list wccp-users remark bypass proxy
access-list wccp-users remark proxy access
access-list wccp-users extended deny ip any any
access-list wccp-users extended permit tc92.168.1.0 255.255.255.0 host 192.168.1.18  eq www                                                                                     
access-list wccp-users extended permit tcp 192.168.5.0 255.255.255.252 host 192.168.1.18  eq www

omsasa(config)# sh run access-list wccp-able
access-list wccp-able remark bypass proxy
access-list wccp-able remark proxy access
access-list wccp-able extended deny ip any any
access-list wccp-able extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.18 eq https
access-list wccp-able extended permit tcp 192.168.5.0 255.255.255.252 host 192.168.1.18 eq https

Vibhor Amrodia
Cisco Employee
Cisco Employee
‎10-21-2014 04:11 AM

Hi,

All the packets are being denied the Redirection as you can see using this counter:-

Total Connections Denied Redirect:  

This is due to the Redirect ACL with deny ip any any above the allow ACE.

Move the permit ACE above this and that should resolve this issue.

Thanks and Regards,

Vibhor Amrodia

rikherlaar
Level 1
Level 1
‎11-23-2014 08:27 AM

Hi,

The accompanying topology is not very clear to be honest , your definition of WCCP seems inaccurate to me - because the ASA acts as server and the Cache Engine , proxy , WAE etc is the client.

Also suggest you move your PC's one or two hops behind a Campus switch to make it more realistic. The drawing seems to suggest the client PC's  need to be at the same segment as your inside interface of the ASA which is not true to the best of my knowledge - only the WCCP client and Server (respectively WAE/WSA and ASA)  need to adhere to that requirement.

Also would be good to explain that ASA is doing everything in SW (it can only handle GRE outgoing and return - not L2 ) and is therefore not a suitable platform for sizable designs.In our experience - around 8000 GRE sessions is about the upper limit - can you confirm this ?

 

regards

 

/R

expertadvisor20151
Level 1
Level 1
‎01-24-2015 01:37 PM

Cisco has a new solution called ITD, which is much superior than WCCP.

Please see the blog : ITD: Load Balancing, Traffic Steering & Clustering using Nexus 5k/6k/7k

 

For example, here is a comparison of ITD with WCCP on Nexus switches:

Feature/Benefit

N7k WCCP

N7k ITD

Appliance is unaware of the protocol

No

Yes

Protocol support

IPv4

IPv4, IPv6

Number of TCAM entries

(say, 100 SVI, 8 nodes, 20 ACEs)

Very High

16000

Very low

160

Weighted load-balancing

No

Yes

User can specify which bits to use for load-balancing

No

Yes

Number of nodes

32

256

Support for IPSLA probes

No

Yes

Support for Virtual IP

No

Yes

Support for L4-port load-balancing

No

Yes

Capability to choose src or dest IP for load-balancing

No

Yes

Customer support needs to look at switch only, or both the switch and appliance

Both

Switch only

Supervisor CPU Overhead

High

None

DCNM Support

No

Yes

Robert Rowland III
Level 1
Level 1
‎04-01-2015 11:09 AM

EA,

  ITD -might- be a great solution, but the documentation is abysmal which renders it unusable.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents