IronPort Configuration
Use the Cisco IronPort Use Guide to configure and verify the following:
- Assuming that the WSA is pre-configured with IP Address, Routes, NTP, DNS, etc
- Verify that there is communication between the ASA and the management interface of the IronPort Appliance.
-
Upgrade the AsyncOS
- Log into the WSA
- Click on System Administration
-
Click on System Upgrade
-
Configure the Web Security Appliance to redirect specific traffic from itself to the ASA
- Click on Network
-
Choose Transparent Redirection
-
Click on Edit Device…
- Select WCCP v2 Router from the drop down list
-
Click on Submit.
-
Click on Commit Changes twice
-
Adding Web traffic cab be done in two ways. Standard – web-cache or custom. I will go through Web-cache first then onto Custom.
-
Adding Standard Web-Cache Service
- Click on Add Service…
- Enter a profile name – any name
- Select Standard service ID: 0 web-cache (destination port 80)
- Enter a Router IP Address – this is the IP Address of the ASA you will be using as your default gateway or internet access.
- Click on Submit.
- Click on Commit Changes twice
-
Adding a Custom Service
- Click on Add Service…
- Enter a profile name – any name
- Enter 90 (or any number from 0 to 255) as Dynamic service ID:
- Select Redirect based on source port (return path) Destination Port option will also work. Load balancing preference
- Select Load balance based on client address – Server option will also work – Load Balancing preference
- Enter a Router IP Address – this is the IP Address of the ASA you will be using as your default gateway or internet access.
- Click on Submit.
- Click on Commit Changes twice
-
Cisco ASA WCCP Configuration
- Launch and login into ASDM
- Go to Configuration >> Firewall >> Access Rules
-
Configure the below access rule to permit traffic to the internet
- Go to Configuration >> Device Management >> Advanced >> WCCP >> Service Groups
- Click on Add
- For Web- Cache, click on Web Cache service option.
-
Or choose Dynamic Service Number – this number mist match the Dynamic Service ID created on the WSA.
- Click on Manage… to create or select an Access List to permit or deny traffic as Redirect List. All private destination traffic should be denied before permitting external traffic.
-
The permit any to any statement must be TCP ONLY – No additional ports
- For Group List, select Manage…
- Specify the IronPort Data port IP address – not the management IP Address, unless you are using one interface for both management and traffic. If there are multiple IronPort, create a Network Object group with ALL IronPorts listed.
-
Click on OK
- Lastly, go to Configuration >> Device Management >> Advanced >> WCCP >> Redirection
- Click on Add
- Select the Interface – most likely the LAN Interface
-
Select a Service Group created in the above section
- Click OK
Troubleshooting Connectivity
From ASDM
-
Go to Monitoring >> Properties >> WCCP >> Service Groups
-
Go to Monitoring >> Properties >> WCCP >> Redirection
From the Console
- Show wccp
- Show wccp interfece (Ddetails)
- Debug wccp events
- Debug wccp packets