cancel
Showing results for 
Search instead for 
Did you mean: 
brianpaul
Level 7

WCCP config causing issues

We have some strange things that seem to occur when redirecting traffic from our ASA firewall using WCCP.  Can someone tell me if there is a problem with our WCCP config?  Any help would be greatly appreciated!  Here's our config...

access-list redirect permit tcp any any eq 443

access-list redirect permit tcp any any eq 80

access-list wccpserver extended permit ip host 10.10.10.11 any

wccp 51 redirect-list redirect group-list wccpserver

wccp interface inside 51 redirect in

0 Kudos
21 Replies
brianpaul
Level 7

Re: WCCP config causing issues

Anyone using WCCP on an ASA?

0 Kudos
jont717
Level 12

Re: WCCP config causing issues

Yes.  On a 5520.  WCCP works great for us.

What issues are you having? 

0 Kudos
brianpaul
Level 7

Re: WCCP config causing issues

We are having issues with XP PCs getting bounced out of https sites.  We have it so that these sites bypass the SSL scanning, but weird things will happen.  For example, initally the certificate will not be the MWG cert (which it shouldn't be because we are bypassing the ssl scanning for the site), but when it times out, then I check the cert and it's the MWG.  Can you show me what your WCCP config looks like?

0 Kudos
jont717
Level 12

Re: WCCP config causing issues

This does not sound like a WCCP issue.  Maybe it is your timeout setting?  We were having timeout issues on HTTPS sites because of authentication.  I had to skip some HTTPS sites from user authentication.

I also upped our TTL timeout to 8 hours.  So our users only authenticate once a day in the morning. 

This works for our environment because we do not share computers.

0 Kudos
jont717
Level 12

Re: WCCP config causing issues

Your settings look right.  But I have 2 different service numbers.

One is 51 , that is for HTTP

One is 53 , that is for HTTPS

My only different is this

access-list redirect permit tcp any any eq https

access-list redirect permit tcp any any eq www

0 Kudos
chisro
Level 7

Re: WCCP config causing issues

I am trying to implement the gateway with wccp on a 5520 also.

Did you have to put in an access list for inbound AND outbound traffic to get it to work?

I am seeing the 'here i am' and the 'I see you' messages but I dont seem to be getting to the internet.

Thanks

0 Kudos
jont717
Level 12

Re: WCCP config causing issues

As long as you see them you should be all set. 

What are your setting in the ASA?  How are you trying to push the traffic there?

0 Kudos
chisro
Level 7

Re: WCCP config causing issues

as you can see-I have one pc that I am using for testing.

I have the redirect in -as stated in best practices.

wccp interface INSIDE 51 redirect in
wccp 51 redirect-list MCAFEE-FORWARD-HTTP group-list MCAFEE-ALLOW
object-group network MCAFEE_WEBWASHERS
access-list inside_in extended permit tcp object-group MCAFEE_WEBWASHERS any eq www
access-list MCAFEE-ALLOW extended permit ip object-group MCAFEE_WEBWASHERS any

access-list MCAFEE-FORWARD-HTTP extended deny ip object-group MCAFEE_WEBWASHERS any

access-list MCAFEE-FORWARD-HTTP extended permit tcp host 17.x.x.x any eq www

access-list MCAFEE-FORWARD-HTTPS extended deny ip object-group MCAFEE_WEBWASHERS any

access-list MCAFEE-FORWARD-HTTPS extended permit tcp host 17.x.x.x any eq https


object-group network MCAFEE_WEBWASHERS
access-list inside_in extended permit tcp object-group MCAFEE_WEBWASHERS any eq www


object-group network MCAFEE_WEBWASHERS
access-list inside_in extended permit tcp object-group MCAFEE_WEBWASHERS any eq www

this make sense?

0 Kudos
jont717
Level 12

Re: WCCP config causing issues

Are you getting hits on MCAFEE-ALLOW?

0 Kudos