This is a basic config to get WCCPv2 running on a Cisco ASA 5510. I am using several Sophos Web Appliances (WS Series).
IMPORTANT:
The ASA does NOT support L2 (Layer 2) redirect methods. You have to use GRE encapsulation!
1. Configure ACL for all WCCP server members:
I only configured one here.
access-list wccp_proxy_servers extended permit ip host 10.200.1.80 any
2. Configure ACL for traffic that needs to be redirected. You’re internal hosts/users.
Port specific entries are NOT supported!
access-list wccp_proxy_hosts extended permit ip 10.200.10.0 255.255.255.0 any access-list wccp_proxy_hosts extended permit ip 10.200.15.0 255.255.255.0 any access-list wccp_proxy_hosts extended permit ip 10.200.71.0 255.255.255.0 any access-list wccp_proxy_hosts extended permit ip 10.200.100.0 255.255.255.0 any access-list wccp_proxy_hosts extended permit ip 10.200.200.0 255.255.255.0 any
3. Enable WCCP
Web-cache is the standard service which intercepts TCP port 80 (HTTP) and sends it to the cache engine.
wccp web-cache redirect-list wccp_proxy_hosts group-list wccp_proxy_servers
4. Enable WCCP redirection on the inside interface.
wccp interface inside web-cache redirect in
5. Enable WCCP to redirect HTTPS traffic to the cache engine using service 70. You HAVE to use service 70 for HTTPS. Then apply it to the inside interface.
wccp 70 redirect-list wccp_proxy_hosts group-list wccp_proxy_servers wccp interface inside 70 redirect in
6. Now you are done. If you want to do FTP traffic, you will have to use service 60 instead of 70.
Here is a list of common WCCP service group numbers:
0 OR web-cache = HTTP
53 = DNS
60 = FTP
70 = HTTPS
90 – 97 = User Configurable
99 = Reverse Proxy
Final Configuration:
access-list wccp_proxy_hosts extended permit ip 10.200.10.0 255.255.255.0 any access-list wccp_proxy_hosts extended permit ip 10.200.15.0 255.255.255.0 any access-list wccp_proxy_hosts extended permit ip 10.200.71.0 255.255.255.0 any access-list wccp_proxy_hosts extended permit ip 10.200.100.0 255.255.255.0 any access-list wccp_proxy_hosts extended permit ip 10.200.200.0 255.255.255.0 any access-list wccp_proxy_servers extended permit ip host 10.200.1.80 any wccp web-cache redirect-list wccp_proxy_hosts group-list wccp_proxy_servers wccp 70 redirect-list wccp_proxy_hosts group-list wccp_proxy_servers wccp interface inside web-cache redirect in wccp interface inside 70 redirect in
Troubleshooting and Verification:
sh wccp (shows all the services configured) or sh wccp
debug wccp event
debug wccp packets