Asa can only support wccpv2 with gre, not wccpl2 mode and wccp redirection does not work when repeater and client network are behind different interfaces of the redirecting asa. I want to configure wccp to redirect the wireless client traffic on vlan 100 to go to our proxy server. Wccp is a method by which the asa can redirect traffic to a wccp caching engine through a generic routing encapsulation gre tunnel. This document describes concepts, limitations, and configuration of the web cache coordination protocol wccp on a cisco adaptive security appliance asa. When a site is bypassed in websense content gateway, the proxy will forward the client request with the original source ip address. The wccp ces such as bluecoat are to define a set of protocols and ports. When setting up wccp with a cisco asa device both the source traffic and the rocket will need to be behind the same interface of the asa.
Due to the secure nature of cisco firewalls, they treat each interface as a separate security zone. Wccp v2 and the content gateway configuration handles node failures and restarts. I assume that i need to enable wccp on our core, and apply a policy to vlan 100. Since i have a firewall between my nexus and web proxy server gre is the only way here. In this case, the wccp caching engine is the barracuda web security gateway.
The wccp ces such as bluecoat are to define a set of protocols and ports that are. The network infrastructure redirects the traffic wccp. This article focuses on configuring the asa for a wccp deployment with the. Thanks for contributing an answer to network engineering stack exchange. Transparency of deployment without endpoint configuration. I cant recall exactly the features on the bluecoat but the below includes the settings that were customized. Wccp is a method by which a cisco adaptive security appliance asa firewall can redirect traffic to a wccp caching engine through a generic routing encapsulation gre tunnel. The purpose of web caching is to reduce latency and network traffic. The sgs are on the inside network behind our asa which is the firewall and vpn concentrator.
When you are implementing wccp it shouldnt be inline. By default it is simply highest ip found on a device, or if loopcacks exist highest ip of loopback interface. View doug schaefers professional profile on linkedin. In a content gateway cluster, it is recommended that you not enable virtual ip failover in wccp environments.
Iwsva supports web cache communication protocol wccp version 2, a protocol defined by cisco systems. Hi, i am facing some issue with bluecoat for caching. Please note the inside in the activation command above is the name of the virtual interface on cisco asa default vlan1. Configuring wccp lightspeed systems community site. For more information on wccp redundancy and other advanced configuration options, see the blue coat wccp reference guide. Web cache communication protocol wccp is a ciscodeveloped content routing protocol. Blue coat wccp placement network engineering stack exchange. Very important passage from the ciscomanual the only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance. Wccp sample configuration for cisco firewalls forcepoint. We have wccp setup on the branch end on the cisco asa.
Ive setup wccp to redirect to 2 bluecoat sgs using an access list that includes both proxies. If you need to use a specific gateway to access to the asa, define the gateway in the route field. Before you begin configuring wccp, check the documentation that came with your routerswitch to ensure that it supports. Configuring wccp v2 with websense content gateway the web. See your cisco product documentation for more information on the protocol. Configexamplesinterceptciscoasawccp2 squid web proxy wiki. Configuring wccp on the proxysg enabling wccp enabling wccp from the. Astaro or bluecoat proxysg but you can also use a software based proxy server, i decided.
Cisco firewall service modules fwsms do not support wccp. Configuring wccp with cisco asa and websense content gateway duration. Hi, we have a requirement to divert web traffic to blue coat proxy through firewall. Hi ben, i havent tried it but it seems to be possible. When you configure wccp for use with the hot standby router protocol hsrp, you must configure the wae with the hsrp or the virtual router redundancy protocol vrrp virtual router address as its default gateway, and the wae wccp routerlist with the primary address of the routers in the hsrp group.
The web cache communication protocol wccp is a cisco developed routingprotocol to maintain a transparent redirection of designateor certain. The asa does show its sending requests, but the 410 only shows addresses in the log and the client pc just spins and times out trying to. Please keep in mind the fp and asa are two logically separate device even though fp is physical hosted inside an asa as a software service or hardware module. Im thinking this might be an issue with gre and the routing id, so ive modified the access list on the inside interface facing the proxies t. When i do the wccp configuration on normal switch it works fine.
Help me get wccp working between cisco and blue coat. Hi, ive recently started testing a setup using wccp v2 on cisco routers with squid. Ive seen wccp used with squid proxy servers, blue coat web caching and content filtering appliances, and cisco content caching engines. Additionally, not every wccpcapable router supports the same versions and feature sets. Previouslyaccessed web pages are stored in a cache buffer, so if users need the. Cloudbridge wccp and ipsec branch repeater discussions. Wccp is available on select cisco routers and switches only. If you setup wccp redirection for another virtual interface please put the correct name here. Cisco firewall asa 5512 wccp configuration with web filter. Wccp is a method by which the asa can redirect traffic to a wccp caching.
The following are the benefits gained when iwsva supports wccp. All 3 hosts, asa gateway and 2 proxies are in the same vlan. Filtering remote users with websense remote filtering software v7. Yes, l2 has less overhead but you shouldnt notice it with a 2800. I cant see your topology out of your question but if the asa is in the path between the clients and. Im experiencing constant repeating service lost issues. Now lets associate the acl with the the transparent redirection. See ciscos asa 5500 series configuration guide for further detail. All right, title and interest in and to the software and documentation are and shall remain the exclusive property of blue coat. As you may know wccp can operate in l2 or gre mode. Linkedin is the worlds largest business network, helping professionals like doug schaefer discover inside connections to recommended job. Best practice of wccp implementation with blue coat. If youre using a wccp enabled router, see wccp deployment.
Wccp deployment with the cisco asa barracuda campus. The cli allows you to perform the superset of configuration and management tasks. The router and the steelhead use wccp service groups 61 and 62. This wccp sample configuration can be modified to work on a cisco pix or asa firewall. Whilst pfsense can be a router only, it generally has resources too, so can actually be a real icp node via squid im not too hot on this, but wasnt wccp just created in order for cisco to sell more boxes to enterprise because it didnt have computational and or storage at the time. Web cache control protocol wccp, used in cisco asa, asr and catalyst switches policy based routing.
However, if a content gateway cluster uses wccp exclusively, virtual ip failover can be used if no user authentication features are used. Now that asa doesnt support pbr to accomplish this, how can w. We are using wccp between the asa and sgs for transparent proxying. Wccp sucks on asa, cisco even admits it, and its a pain in the rear to implement. Prerequisites requirements cisco recommends that you. There is a limitation with the wccp implementation in the cisco asa. Hi we are experiencing an issue with the cloudbridge optimizing traffic and also finding partners. The design is as follows ipsec between 2 asas, we have setup the options 2431. If you change the forward or return method configuration while there is an active connection with the wccp device, in order to renegotiated the method you must force the current connection to terminate.
As to ipsec vpn tunnel implementation on cisco devices, there are crypto ipsec and crypto isakmp statements on any commands that relate to ipsec vpn tunnel configuration on either cisco router. Find answers to help me get wccp working between cisco and blue coat from the expert community at experts exchange. Cisco roll out a bluecoat as a wccp for a asa 5520. Blue coat systems reference guide wccp reference guide for sgos 5. All right, title and interest in and to the software and. Asa crashes with wccp configured and huge ipv6 packets which require fragmentation are redirected to web cache engine. Redirection limitations for wccp on cisco asa forcepoint. Place your bluecoat thats doing wccp anywhere in your network provided the asa can route to it. It has builtin load balancing, scaling, fault tolerance, and serviceassurance failsafe mechanisms. Cisco asa wccp configuration guidelines to bluecoat proxysg heres what we used. Configure wccp on your cisco ios router techrepublic. Additionally, not every wccp capable router supports the same versions and feature sets. Select the main network interface that will handle the gre tunnel. In this example, as long as the steelhead interface is a member of all of the service groups, and the service groups include all of the interfaces on all of the paths to and from the wan, it does not matter whether a single service group or multiple service groups are configured.
To configure wccp you must first configure it on the rocket web filter and then configure your network devices, such as cisco asas. I am currently trying to enable wccp between a cisco asa 5512 firewall and barraccuda webfilter 410 vx applicance. Doug schaefer warrington, pennsylvania professional. Web cache communication protocol wccp is a ciscodeveloped contentrouting protocol. Tech pillar is your online directory to compare blue coat proxysg 200 vs cisco wsa s690x. This limitation gives that your clients needs to be at the same firewallleg as the wccpproxy. Users can access the internet but when i configure wccp on asa the i cant see any traffic redirected. Now you should know, that a wccp enabled router has something called wccp router identifier. Select the generic routing encapsulation gre or layer 2 l2 for wccp forwarding method. Solved asa 5505 with squid and wccp cisco spiceworks. I have a cisco 4500 core, 3750s at the edge and then some wireless aps which wifi clients connect too. I have vlan 100 which wireless clients access via the aps. This line shown below creates the access list used to define the proxy. Im able to direct traffic to my barracuda 410 just fine.
On most cisco platforms capable of wccp, gre encapsulation is going to be done in software by the cpu this. Web cache communication protocol wccp is a content routing protcol that allows utilization of cisco cache engines or other caches running wccp to localize web traffic patterns in the network, enabling content requests to be fulfilled locally. Due to limitations for the asa, it cannot route traffic for redirection between interfaces. Redirection fails when using wccp on a cisco asa branch. Configure wccp redirection to squid on cisco asa web. The wccp forwarding method determines how intercepted traffic is transmitted from the wccp server ios to the wccp client. The asa firewall redirecting the traffic is above the proxy.
Typically, this means turning off the service group on the wccp device for 60 seconds. Web cache communication protocol wccp is a ciscodeveloped contentrouting protocol that provides a mechanism to redirect traffic flows in realtime. Between greipsec and ipsec vpn tunnels cisco forum faq. Cisco asa wccp configuration guidelines to bluecoat. Ive done this a few times for acquisitions that we wanted to secure but didnt want to redo their whole network. Choose the ciscos web cache coordination protocol tab. Cisco firewall asa 5512 wccp configuration with web filter oct 31, 2012. It allows a router running linux to redirect web traffic to a group of squid servers using wccp as the monitoringcontroling protocol. Web cache communication protocol wccp is a content routing protcol that allows utilization of cisco cache engines or other caches.
986 1587 1493 1097 1508 658 176 960 171 886 124 250 31 1473 966 533 979 1612 89 747 9 1081 841 1363 1247 1581 1247 938 1051 930 1029 703 734 1198 906 376 1322 293 783 644