2 Replies Latest reply: Dec 13, 2012 9:10 AM by wspek RSS

    ASA + WCCP + MWG - cannot get it to work

    wspek

      Hi all,

       

      I am trying to configure the following:

       

      • ASA firewall (10.0.1.2 on inside interface, 192.168.20.242 on outside)
      • Windows PC (10.0.1.4) behind the inside interface on VLAN 18 (10.0.1.0/24)
      • MWG (10.0.1.3) behind that same interface on VLAN 18 (10.0.1.0/24)
      • WCCP on ASA, so HTTP(S) traffic from PC gets redirected through MWG towards the internet.

       

      I followed these links, and tried to combine them into a working solution:

       

      https://supportforums.cisco.com/docs/DOC-12623

      https://kc.mcafee.com/corporate/index?page=content&id=KB63018

       

      But I am stuck. My current config on the ASA:

       

      sh run

      : Saved

      :

      ASA Version 8.0(4)

      !

      hostname TestASA

      domain-name test.loc

      enable password pLtl8QpOvBmee4.r encrypted

      passwd 2KFQnbNIdI.2KYOU encrypted

      names

      !

      interface Vlan18

      nameif inside

      security-level 100

      ip address 10.0.1.2 255.255.255.0

      !

      interface Vlan20

      nameif outside

      security-level 0

      ip address 192.168.20.242 255.255.255.0

      !

      interface Ethernet0/0

      switchport access vlan 20

      !

      interface Ethernet0/1

      switchport access vlan 17

      !

      interface Ethernet0/2

      switchport access vlan 19

      !

      interface Ethernet0/3

      switchport access vlan 18

      !

      interface Ethernet0/4

      !

      interface Ethernet0/5

      !

      interface Ethernet0/6

      !

      interface Ethernet0/7

      !

      ftp mode passive

      dns server-group DefaultDNS

      domain-name test.loc

      access-list acl_in extended permit icmp any any echo log

      access-list acl_in extended permit icmp any any echo-reply log

      access-list acl_in extended permit ip host 10.0.1.3 any

      access-list acl_in extended permit ip host 10.0.1.4 any log

      access-list acl_out extended permit tcp any any eq www

      access-list acl_out extended permit tcp any any eq https

      access-list acl_out extended permit tcp any any eq telnet

      access-list acl_out extended permit icmp any any echo log

      access-list acl_out extended permit icmp any any echo-reply log

      access-list acl_out extended permit ip any any log

      access-list outside_access_in extended permit ip any any

      access-list wccp-servers extended permit ip host 10.0.1.3 any

      access-list wccp-traffic extended permit ip 10.0.1.0 255.255.255.0 any

      pager lines 24

      logging enable

      logging buffered debugging

      logging asdm informational

      mtu inside 1500

      mtu outside 1500

      icmp unreachable rate-limit 1 burst-size 1

      asdm image disk0:/asdm-615.bin

      asdm history enable

      arp timeout 14400

      global (outside) 1 interface

      nat (inside) 1 10.0.1.0 255.255.255.0

      access-group acl_in in interface inside

      access-group outside_access_in in interface outside

      access-group acl_out out interface outside

      route outside 0.0.0.0 0.0.0.0 192.168.20.254 1

      timeout xlate 3:00:00

      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

      dynamic-access-policy-record DfltAccessPolicy

      aaa authentication ssh console LOCAL

      http server enable

      http 10.0.1.0 255.255.255.0 inside

      no snmp-server location

      no snmp-server contact

      snmp-server enable traps snmp authentication linkup linkdown coldstart

      crypto ipsec security-association lifetime seconds 28800

      crypto ipsec security-association lifetime kilobytes 4608000

      telnet timeout 5

      ssh 192.168.18.0 255.255.255.0 inside

      ssh 10.0.1.0 255.255.255.0 inside

      ssh 192.168.20.0 255.255.255.0 outside

      ssh 192.168.64.0 255.255.255.0 outside

      ssh 192.168.66.0 255.255.255.0 outside

      ssh 192.168.73.0 255.255.255.0 outside

      ssh 192.168.74.0 255.255.255.0 outside

      ssh 192.168.76.0 255.255.255.0 outside

      ssh timeout 5

      console timeout 0

       

      threat-detection basic-threat

      threat-detection statistics access-list

      no threat-detection statistics tcp-intercept

      wccp web-cache redirect-list wccp-traffic group-list wccp-servers

      wccp interface inside web-cache redirect in

      username woody password 5CZn8bTKqMGMtL01 encrypted

      !

      class-map inspection_default

      match default-inspection-traffic

      !

      !

      policy-map type inspect dns preset_dns_map

      parameters

        message-length maximum 512

      policy-map global_policy

      class inspection_default

        inspect dns preset_dns_map

        inspect ftp

        inspect h323 h225

        inspect h323 ras

        inspect netbios

        inspect rsh

        inspect rtsp

        inspect skinny

        inspect esmtp

        inspect sqlnet

        inspect sunrpc

        inspect tftp

        inspect sip

        inspect xdmcp

      !

      service-policy global_policy global

      prompt hostname context

      Cryptochecksum:67bb2646cb53e475efd93171d10b07c0

      : end

       

       

      Please see the attached screenshots for my MWG config.

       

      My OUTPUT of the # debug wccp events command:

       

      WCCP-EVNT:???: Here_I_Am packetfrom 10.0.1.3: no such service (Type: Dynamic,Id: 51)

      -----------

      It seems that I am still missing components. A service? Where and how should I define service 51?

       

      Kind regards