Configuring WCCP on ASA Appliance

Cisco / January 24, 2014

The Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing technology that allows you to integrate cache engines (such as the Cisco Cache Engine 550) into your network infrastructure. Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the WCCP.

Adding “Web Cache” Service Group via ASDM

 

  1. Log into the ASA via ASDM
  2. Click on Configuration à Device Management à Advanced à WCCP à Service Groups
  3. Click on Add
  4. Click on Web Cache
  5. Select or Create Redirection List – this is traffic that is allowed to access the internet
  6. Click on Manage to create a new list

  7. Click on Add
  8. Click on Add ACL
  9. Enter Name – WCCP_Internet_Traffic
  10. Click OK

  11. Select newly created ACL
  12. Click on Add
  13. Click on ACE

  14. Create rule to Deny all private IP addresses

  15. Click OK

  16. Verify that newly created ACL is still selected
  17. Click on Add
  18. Click on ACE

  19. Note the protocol is TCP ONLY.

  20. Click OK and you will be dropped back to the initial window.
  21. From the drop down box, select the newly created Redirect List

  22. The Group List is a list of IronPort(s) to be used.
  23. To create a new List, click on corresponding “Manage” to the Group List
  24. Click on Add
  25. Click on Add ACL
  26. Enter Name (WCCP_IronPorts)

  27. Click on OK
  28. Select newly created ACL
  29. Click on Add
  30. Click on ACE

  31. Permit the IP address or name of the IronPorts as the source with Any destination using the IP protocol

  32. Click on OK

  33. Click OK and you will be dropped back to the initial window.
  34. From the drop down box, select the newly created Group List
  35. Enter Password twice to confirm – this password will be needed again when configuring the IronPort.

  36. Click on OK again to complete configuration

  37. Summary of configuration

 

Adding the “Web Cache” Redirection via ASDM

 

This is where the traffic will actually diverted to the WSA Appliance

  1. Log into the ASA via ASDM
  2. Click on Configuration à Device Management à Advanced à WCCP à Redirection
  3. Click on Add
  4. Select the LAN or inside interface for the interface you will like to run it on.
  5. Select the newly created Web-Cache service as the Service Group

  6. Click OK

  7. Click on Apply to submit all configuration
  8. Save configuration

CLI Configuration of the above

 

object-group network DM_INLINE_NETWORK_1

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_2

network-object host 10.10.10.111

network-object host 10.10.10.112

access-list WCCP_IronPorts line 1 extended permit ip object-group DM_INLINE_NETWORK_2 any

access-list WCCP_Internet_Traffic line 1 remark Deny all Private IP Address – This should be process locally.

access-list WCCP_Internet_Traffic line 2 extended deny ip any object-group DM_INLINE_NETWORK_1

access-list WCCP_Internet_Traffic line 3 extended permit tcp any any

wccp web-cache redirect-list WCCP_Internet_Traffic group-list WCCP_IronPorts

wccp interface inside web-cache redirect in

 

Monitoring WCCP on the ASA via ASDM

 

  1. Log into the ASA via ASDM
  2. Click on Monitoring à WCCP à Service Groups
  3. Click on Monitoring à WCCP à Redirection