Today we are going to set up a Cisco ASA firewall to send WCCP (port 80) web inspection traffic to a Cisco Ironport WSA (Web Security Appliance).
Suppose the following:
Ironport WSA IP address: 192.168.5.55
Inside IP of ASA firewall: 192.168.5.1
Inside IP address range: 192.168.0.0/16
Cisco ASA firewall configuration
Make the type WCCP v2 Router
Add a service with a name of
WEB_CACHE, a router IP of
192.168.5.1 (ASA Inside IP) and port
At this point you can do a ‘show wccp’ on the ASA and you should see “Total Packets Redirected” rising. From within the Ironport go to
Overview and you should see statistics of what traffic is now flowing through the Ironport.
- Verify basic connectivity. Check interface IP addresses. Verify network access between both ASA and Ironport.
- Show commands on ASA: show wccp
- Debug commands on firewall: debug wccp packet, debug wccp events
- Verify the ports caught in the traffic ACL are the same as the ports used for WCCP and there’s a listener (service) on Ironport to interpret them.