Initial Configuration of a Cisco ASA and Ironport WSA Using WCCP

| Comments

Today we are going to set up a Cisco ASA firewall to send WCCP (port 80) web inspection traffic to a Cisco Ironport WSA (Web Security Appliance).

Suppose the following:

Ironport WSA IP address:

Inside IP of ASA firewall:

Inside IP address range:

Cisco ASA firewall configuration

! Define the Ironport IP Address in an ACL
access-list ACL-IRONPORT-WSA extended permit ip host any

! Define what traffic should be inspected
access-list ACL-WEBPROXY-TRAFFIC extended permit tcp any eq www

! Apply the WCCP configuration
wccp web-cache redirect-list ACL-WEBPROXY-TRAFFIC group-list ACL-IRONPORT-WSA
wccp interface INSIDE web-cache redirect in

Ironport Configuration

Navigate to Network –> Transparent Redirection

Make the type WCCP v2 Router

Add a service with a name of WEB_CACHE, a router IP of (ASA Inside IP) and port 80 (Standard).

At this point you can do a ‘show wccp’ on the ASA and you should see “Total Packets Redirected” rising. From within the Ironport go to Reporting –> Overview and you should see statistics of what traffic is now flowing through the Ironport.

Troubleshooting techniques:

  • Verify basic connectivity. Check interface IP addresses. Verify network access between both ASA and Ironport.
  • Show commands on ASA: show wccp
  • Debug commands on firewall: debug wccp packet, debug wccp events
  • Verify the ports caught in the traffic ACL are the same as the ports used for WCCP and there’s a listener (service) on Ironport to interpret them.