Web Security Appliance and ASA WCCP Configuration and Troubleshooting

IronPort Configuration

Use the Cisco IronPort Use Guide to configure and verify the following:

  1. Assuming that the WSA is pre-configured with IP Address, Routes, NTP, DNS, etc
  2. Verify that there is communication between the ASA and the management interface of the IronPort Appliance.
  3. Upgrade the AsyncOS
    1. Log into the WSA
    2. Click on System Administration
    3. Click on System Upgrade

  4. Configure the Web Security Appliance to redirect specific traffic from itself to the ASA
    1. Click on Network
    2. Choose Transparent Redirection

    3. Click on Edit Device…

    4. Select WCCP v2 Router from the drop down list
    5. Click on Submit.

    6. Click on Commit Changes twice

       

  5. Adding Web traffic cab be done in two ways. Standard – web-cache or custom. I will go through Web-cache first then onto Custom.
    1. Adding Standard Web-Cache Service
      1. Click on Add Service…

      1. Enter a profile name – any name
      2. Select Standard service ID: 0 web-cache (destination port 80)
      3. Enter a Router IP Address – this is the IP Address of the ASA you will be using as your default gateway or internet access.
      4. Click on Submit.
      5. Click on Commit Changes twice

    2. Adding a Custom Service
      1. Click on Add Service…

      1. Enter a profile name – any name
      2. Enter 90 (or any number from 0 to 255) as Dynamic service ID:
      3. Select Redirect based on source port (return path) Destination Port option will also work. Load balancing preference
      4. Select Load balance based on client address – Server option will also work – Load Balancing preference
      5. Enter a Router IP Address – this is the IP Address of the ASA you will be using as your default gateway or internet access.
      6. Click on Submit.
      7. Click on Commit Changes twice

Cisco ASA WCCP Configuration

 

  1. Launch and login into ASDM
  2. Go to Configuration >> Firewall >> Access Rules
  3. Configure the below access rule to permit traffic to the internet

  4. Go to Configuration >> Device Management >> Advanced >> WCCP >> Service Groups
  5. Click on Add
  6. For Web- Cache, click on Web Cache service option.
  7. Or choose Dynamic Service Numberthis number mist match the Dynamic Service ID created on the WSA.

  8. Click on Manage… to create or select an Access List to permit or deny traffic as Redirect List. All private destination traffic should be denied before permitting external traffic.
  9. The permit any to any statement must be TCP ONLY – No additional ports

  10. For Group List, select Manage…
  11. Specify the IronPort Data port IP address – not the management IP Address, unless you are using one interface for both management and traffic. If there are multiple IronPort, create a Network Object group with ALL IronPorts listed.
  12. Click on OK

  13. Lastly, go to Configuration >> Device Management >> Advanced >> WCCP >> Redirection
  14. Click on Add
  15. Select the Interface – most likely the LAN Interface
  16. Select a Service Group created in the above section

  17. Click OK

 

Troubleshooting Connectivity

 

From ASDM

  • Go to Monitoring >> Properties >> WCCP >> Service Groups

  • Go to Monitoring >> Properties >> WCCP >> Redirection

 

From the Console

  • Show wccp
  • Show wccp interfece (Ddetails)
  • Debug wccp events
  • Debug wccp packets