Cisco, Firepower, WSA

WSA transparent proxy using WCCP on FTD

The Cisco Web Security Appliance (WSA) supports two modes of operation, explicit or transparent. In explicit mode the user’s web browser must be explicitly configured with the WSA as the proxy server. In transparent mode no proxy is configured, the user’s traffic is routed to WCCP enabled device which redirects the traffic to the WSA, which proxies the traffic to the original destination. In transparent mode the WSA pretends to be original destination server as the client is unaware of the existence of the WSA proxy server.

In this post we will cover the configuration setting up WCCP between a Cisco FTD (version 7.1) using local FDM management and a Cisco WSA (version 10.1.3)

Topology

The figure below represents the topology used in this scenario.


With WCCP enabled, the traffic flow will be as follows:

  • A user with a PC connected to VLAN 10 communicates with a public website, traffic is routed from the switch to the default gateway on the FTD.
  • The traffic matches the WCCP redirection list and is sent to the WSA’s P1 interface.
  • The WSA’s P1 interface proxies the traffic to the original destination and returns the webpage to the user on the PC.

WSA Configuration

The following pre-requisites are assumed, the basic WSA configuration (Web Proxy and HTTPS Proxy enabled) and M1 and P1 interfaces configured.

  • The M1 interface on the WSA is a dedicated management and will not receive proxy traffic.
  • The P1 interface on the WSA is dedicated for proxy traffic, the FTD will send all traffic on this interface.

Transparent Proxy Configuration

  • Login to the Web GUI of the WSA
  • Navigate to Network > Transparent Redirection
  • Click Edit Device


  • Select WCCP v2 Router from the Type drop-down list
  • Click Submit

  • Click Add Service
  • Enter an appropriate name for the Service Profile Name.
  • Select Dynamic Service ID and enter the ID of 90 (or any ID between 90-97).

Refer to this document for more information on WCCP Service ID – https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118246-configure-wsa-00.html

  • Define the Port Numbers of 80, 443 and any additional port numbers you wish to transparently proxy.
  • Leave Redirect based on destination port and Load balance based on server address).
  • Enter the IP address of the FTD (the FTD will as default use the highest IP address configured locally to identify itself).
  • Leave all other defaults, click Submit.


NOTE – the Forwarding and return method in this scenario will be GRE, as the FTD and WSA are not on the same VLAN. If they were on the same VLAN then L2 could be used.

FDM Configuration

It is assumed the FDM is setup with basic configuration, IP addressing, interfaces, ACP, NAT etc.

  • Login to the Web GUI of the FDM
  • Navigate to Objects > Networks
  • Create a host object for the WSA P1 interface.


  • Navigate to Device > Advanced Configuration > Smart CLI > Objects
  • Name the object SmartCLI object as WCCP-WSA, this object will be referenced later in the FlexConfig object.
  • Create an Extended Access List to define the WSA, reference the object WCCP-WSA (created in the previous step). This is used to define the WCCP enabled devices, in this example communication to/from the WSA.


  • Click Ok.
  • Create another SmartCLI object called WCCP-REDIRECT, this object will be referenced later in the FlexConfig object.
  • Create an Extended Access List to define which source network and destination ports should be redirected to the WSA.


In this example traffic from VLAN10 (192.168.10.0/24) for http (tcp/80) and https (tcp/443) will be matched for redirection. Traffic not sourced from VLAN10 will not be redirected to the WSA.

  • Click Ok to save
  • Navigate to Device > Advanced Configuration > FlexConfig > FlexConfig Objects
  • Create a new object called WCCP

FlexConfig allows the deployment of ASA valid commands to be deployed to the FTD, usually when there is no native support for the command/feature in the FDM GUI. Refer to this ASA WCCP guide for more information on the ASA supported WCCP commands.

  • Under the template section enter the following syntax:

wccp 90 redirect-list <name of redirect list above> group-list <name of list defining WSA servers>

wccp interface <inside interface nameif> <service id as defined in WSA> redirect <direction>


  • Create a negate template to identify how to remove the configured commands.
  • Click Ok to save.
  • Navigate to Device > Advanced Configuration > FlexConfig > FlexConfig Policy.
  • Under the Group List select the WCCP FlexConfig object created in the previous step.


  • Click Ok and then Save.

Deploy the policy to the FTD

Testing/Validation

From a test computer with an IP address as defined in the redirect access list, generate some web traffic for testing.

  • Login to the CLI of the FTD
  • Run the command show access-list WCCP-WSA

Confirm the source host IP of the WSA it permitted to any destination.


  • Run the command show access-list WCCP-REDIRECT

Confirm the source network(s) in this instance 192.168.10.0/24 is permitted to any destination on tcp 80 and 443.


  • Run the command show wccp

From the output below we can confirm the FTD router identifier (itself), the service ID (as configured), the redirection access list WCCP-REDIRECT, the group access list WCCP-WSA and importantly the total number of packets redirected.


  • Run the command show wccp 90 view

The output of this command below confirms the FTD has established communication with the WSA P1 interface on 192.168.101.37.


  • Run the command system support diagnostic-CLI
  • Setup a packet capture to capture GRE, HTTP and HTTPS traffic on the interface WCCP is enabled on
capture CAPI interface <nameif> match gre any any
capture CAPI interface <nameif> match tcp any any 80
capture CAPI interface <nameif> match tcp any any 443

From the output of the packet capture below we can see a request from a client PC on 192.168.10.100 (the source network defined in the redirect list) to a public IP. The 2nd packet we see GRE communication from the FTD (192.168.250.1) to the WSA P1 interface (192.168.101.37). The 3rd packet is sourced from the WSA’s P1 interface to the original destination. Finally, the 4th packet we can confirm the return traffic from the public IP address back to the WSA.


  • Login to the Web GUI of the FDM
  • Navigate to Monitoring > Events > Connection
  • Apply a filter to monitor on the original client IP address (192.168.10.100) and the WSA P1 interface (192.168.101.37).

From the output below we can confirm only the WSA IP address is successfully communicating through the FTD.


  • Login to the Web GUI of the WSA
  • Navigate to Reporting > Web Sites

Observe the output of the websites matches the webs used for testing to confirm that traffic was redirected through the WSA transparently.


To test that traffic from any other VLAN not specified in the WCCP-REDIRECT access list is not redirected, login to a computer from another VLAN and generate some traffic.

  • Login to the FDM GUI
  • Navigate to Monitoring > Events > Connection
  • Apply a filter to monitor on IP address of the test computer, in this instance 192.168.11.101.

From the output below we can see the traffic is allowed and the source is the IP address of the client computer not the WSA’s P1 interface. This confirms traffic not matched against the WCCP-REDIRECT was not redirected to the WSA.


Summary

Although there are no native GUI menus to configure WCCP as of FDM version 7.1, using FlexConfig with the native ASA commands integration with the WSA using WCCP can easily be achieved. Although not tested, there is no reason why WCCP configuration using an FMC cannot be used, just use the same logic configuring the FlexConfig settings.

Published by integratingit

One thought on “WSA transparent proxy using WCCP on FTD

  1. Pingback: WSA transparent proxy using WCCP on ASA/IOS-XE – integrating IT

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.