Initial Configuration of a Cisco ASA and Ironport WSA Using WCCP

Today we are going to set up a Cisco ASA firewall to send WCCP (port 80) web inspection traffic to a Cisco Ironport WSA (Web Security Appliance).

Suppose the following:

Ironport WSA IP address: 192.168.5.55

Inside IP of ASA firewall: 192.168.5.1

Inside IP address range: 192.168.0.0/16

Cisco ASA firewall configuration

! Define the Ironport IP Address in an ACL
access-list ACL-IRONPORT-WSA extended permit ip host 192.168.5.55 any

! Define what traffic should be inspected
access-list ACL-WEBPROXY-TRAFFIC extended permit tcp 192.168.0.0 255.255.0.0 any eq www

! Apply the WCCP configuration
wccp web-cache redirect-list ACL-WEBPROXY-TRAFFIC group-list ACL-IRONPORT-WSA
wccp interface INSIDE web-cache redirect in

Ironport Configuration

Navigate to Network –> Transparent Redirection

Make the type WCCP v2 Router

Add a service with a name of WEB_CACHE, a router IP of 192.168.5.1 (ASA Inside IP) and port 80 (Standard).

At this point you can do a ‘show wccp’ on the ASA and you should see “Total Packets Redirected” rising. From within the Ironport go to Reporting –> Overview and you should see statistics of what traffic is now flowing through the Ironport.

Troubleshooting techniques:

• Verify basic connectivity. Check interface IP addresses. Verify network access between both ASA and Ironport.
• Show commands on ASA: show wccp
• Debug commands on firewall: debug wccp packet, debug wccp events
• Verify the ports caught in the traffic ACL are the same as the ports used for WCCP and there’s a listener (service) on Ironport to interpret them.