Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1036 Views 2 Replies Latest reply: Dec 13, 2012 9:10 AM by wspek RSS
wspek Newcomer 2 posts since
Dec 12, 2012
Currently Being Moderated

Dec 12, 2012 9:40 AM

ASA + WCCP + MWG - cannot get it to work

Hi all,

 

I am trying to configure the following:

 

  • ASA firewall (10.0.1.2 on inside interface, 192.168.20.242 on outside)
  • Windows PC (10.0.1.4) behind the inside interface on VLAN 18 (10.0.1.0/24)
  • MWG (10.0.1.3) behind that same interface on VLAN 18 (10.0.1.0/24)
  • WCCP on ASA, so HTTP(S) traffic from PC gets redirected through MWG towards the internet.

 

I followed these links, and tried to combine them into a working solution:

 

https://supportforums.cisco.com/docs/DOC-12623

https://kc.mcafee.com/corporate/index?page=content&id=KB63018

 

But I am stuck. My current config on the ASA:

 

sh run

: Saved

:

ASA Version 8.0(4)

!

hostname TestASA

domain-name test.loc

enable password pLtl8QpOvBmee4.r encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan18

nameif inside

security-level 100

ip address 10.0.1.2 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

ip address 192.168.20.242 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

switchport access vlan 17

!

interface Ethernet0/2

switchport access vlan 19

!

interface Ethernet0/3

switchport access vlan 18

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name test.loc

access-list acl_in extended permit icmp any any echo log

access-list acl_in extended permit icmp any any echo-reply log

access-list acl_in extended permit ip host 10.0.1.3 any

access-list acl_in extended permit ip host 10.0.1.4 any log

access-list acl_out extended permit tcp any any eq www

access-list acl_out extended permit tcp any any eq https

access-list acl_out extended permit tcp any any eq telnet

access-list acl_out extended permit icmp any any echo log

access-list acl_out extended permit icmp any any echo-reply log

access-list acl_out extended permit ip any any log

access-list outside_access_in extended permit ip any any

access-list wccp-servers extended permit ip host 10.0.1.3 any

access-list wccp-traffic extended permit ip 10.0.1.0 255.255.255.0 any

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.1.0 255.255.255.0

access-group acl_in in interface inside

access-group outside_access_in in interface outside

access-group acl_out out interface outside

route outside 0.0.0.0 0.0.0.0 192.168.20.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.18.0 255.255.255.0 inside

ssh 10.0.1.0 255.255.255.0 inside

ssh 192.168.20.0 255.255.255.0 outside

ssh 192.168.64.0 255.255.255.0 outside

ssh 192.168.66.0 255.255.255.0 outside

ssh 192.168.73.0 255.255.255.0 outside

ssh 192.168.74.0 255.255.255.0 outside

ssh 192.168.76.0 255.255.255.0 outside

ssh timeout 5

console timeout 0

 

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

wccp web-cache redirect-list wccp-traffic group-list wccp-servers

wccp interface inside web-cache redirect in

username woody password 5CZn8bTKqMGMtL01 encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:67bb2646cb53e475efd93171d10b07c0

: end

 

 

Please see the attached screenshots for my MWG config.

 

My OUTPUT of the # debug wccp events command:

 

WCCP-EVNT:???: Here_I_Am packetfrom 10.0.1.3: no such service (Type: Dynamic,Id: 51)

-----------

It seems that I am still missing components. A service? Where and how should I define service 51?

 

Kind regards

Attachments:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points