1 2 3 Previous Next 21 Replies Latest reply on Jul 26, 2012 3:01 PM by jont717

    WCCP config causing issues

      We have some strange things that seem to occur when redirecting traffic from our ASA firewall using WCCP.  Can someone tell me if there is a problem with our WCCP config?  Any help would be greatly appreciated!  Here's our config...

       

      access-list redirect permit tcp any any eq 443

      access-list redirect permit tcp any any eq 80

      access-list wccpserver extended permit ip host 10.10.10.11 any

      wccp 51 redirect-list redirect group-list wccpserver

      wccp interface inside 51 redirect in

        • 1. Re: WCCP config causing issues

          Anyone using WCCP on an ASA?

          • 2. Re: WCCP config causing issues
            jont717

            Yes.  On a 5520.  WCCP works great for us.

             

            What issues are you having? 

            • 3. Re: WCCP config causing issues

              We are having issues with XP PCs getting bounced out of https sites.  We have it so that these sites bypass the SSL scanning, but weird things will happen.  For example, initally the certificate will not be the MWG cert (which it shouldn't be because we are bypassing the ssl scanning for the site), but when it times out, then I check the cert and it's the MWG.  Can you show me what your WCCP config looks like?

              • 4. Re: WCCP config causing issues
                jont717

                This does not sound like a WCCP issue.  Maybe it is your timeout setting?  We were having timeout issues on HTTPS sites because of authentication.  I had to skip some HTTPS sites from user authentication.

                 

                I also upped our TTL timeout to 8 hours.  So our users only authenticate once a day in the morning. 

                 

                This works for our environment because we do not share computers.

                • 5. Re: WCCP config causing issues
                  jont717

                  Your settings look right.  But I have 2 different service numbers.

                   

                  One is 51 , that is for HTTP

                   

                  One is 53 , that is for HTTPS

                   

                  My only different is this

                   

                  access-list redirect permit tcp any any eq https

                  access-list redirect permit tcp any any eq www

                  • 6. Re: WCCP config causing issues

                    I am trying to implement the gateway with wccp on a 5520 also.

                    Did you have to put in an access list for inbound AND outbound traffic to get it to work?

                    I am seeing the 'here i am' and the 'I see you' messages but I dont seem to be getting to the internet.

                    Thanks

                    • 7. Re: WCCP config causing issues
                      jont717

                      As long as you see them you should be all set. 

                       

                      What are your setting in the ASA?  How are you trying to push the traffic there?

                      • 8. Re: WCCP config causing issues

                        as you can see-I have one pc that I am using for testing.

                        I have the redirect in -as stated in best practices.

                         

                        wccp interface INSIDE 51 redirect in
                        wccp 51 redirect-list MCAFEE-FORWARD-HTTP group-list MCAFEE-ALLOW
                        object-group network MCAFEE_WEBWASHERS
                        access-list inside_in extended permit tcp object-group MCAFEE_WEBWASHERS any eq www
                        access-list MCAFEE-ALLOW extended permit ip object-group MCAFEE_WEBWASHERS any

                        access-list MCAFEE-FORWARD-HTTP extended deny ip object-group MCAFEE_WEBWASHERS any

                        access-list MCAFEE-FORWARD-HTTP extended permit tcp host 17.x.x.x any eq www

                        access-list MCAFEE-FORWARD-HTTPS extended deny ip object-group MCAFEE_WEBWASHERS any

                        access-list MCAFEE-FORWARD-HTTPS extended permit tcp host 17.x.x.x any eq https


                        object-group network MCAFEE_WEBWASHERS
                        access-list inside_in extended permit tcp object-group MCAFEE_WEBWASHERS any eq www


                        object-group network MCAFEE_WEBWASHERS
                        access-list inside_in extended permit tcp object-group MCAFEE_WEBWASHERS any eq www

                         

                        this make sense?

                        • 9. Re: WCCP config causing issues
                          jont717

                          Are you getting hits on MCAFEE-ALLOW?

                          1 2 3 Previous Next