Today we are going to set up a Cisco ASA firewall to send WCCP (port 80) web inspection traffic to a Cisco Ironport WSA (Web Security Appliance).
Suppose the following:
Ironport WSA IP address: 192.168.5.55
Inside IP of ASA firewall: 192.168.5.1
Inside IP address range: 192.168.0.0/16
Cisco ASA firewall configuration
|
Ironport Configuration
Navigate to Network
–> Transparent Redirection
Make the type WCCP v2 Router
Add a service with a name of WEB_CACHE
, a router IP of 192.168.5.1
(ASA Inside IP) and port 80
(Standard).
At this point you can do a ‘show wccp’ on the ASA and you should see “Total Packets Redirected” rising. From within the Ironport go to Reporting
–> Overview
and you should see statistics of what traffic is now flowing through the Ironport.
Troubleshooting techniques:
- Verify basic connectivity. Check interface IP addresses. Verify network access between both ASA and Ironport.
- Show commands on ASA: show wccp
- Debug commands on firewall: debug wccp packet, debug wccp events
- Verify the ports caught in the traffic ACL are the same as the ports used for WCCP and there’s a listener (service) on Ironport to interpret them.
Comments