This post describes the steps required to configure WCCP on Cisco ASA firewalls and Cisco IOS-XE switches. For more detailed information on WSA configuration, refer to the previous post WSA transparent proxy using WCCP on FTD, which covers the WSA configuration in detail.
WCCP is used for traffic redirection from the ASA or IOS-XE device (switch or router) to the WSA, WCCP redirection is supported using GRE or L2.
- Use GRE if WSA is in another subnet
- Use L2 if WSA and ASA are in the same subnet
In transparent mode, HTTPS Proxy must be active, but it is not necessary to decrypt the requests.
ASA Configuration
The following is important information related to configuring WCCP on the Cisco ASA.
- Redirection is GRE based only
- The client and the WSA must be on the same ASA interface
- Redirect ACL permits or denies traffic to be redirected to the WSA
Transparent redirection should be setup on the WSA, in this instance Service ID.
Topology
The diagram below represents the topology of the ASA WCCP configuration. The client computer sends a packet destined to the internet, which is routed to the ASA using GRE. If the packet matches the WCCP-REDIRECT ACL the ASA redirects the packet to the WSA, which proxies the requested to the destination.
Configuration
The WCCP-WSA ACL below, is used to identify the WSA(s) clients allowed to participate in the WCCP service group.
access-list WCCP-WSA extended permit ip host 192.168.101.37 any
The WCCP-REDIRECT ACL identifies the traffic to be redirected.
access-list WCCP-REDIRECT extended permit tcp 192.168.50.0 255.255.255.0 any eq www access-list WCCP-REDIRECT extended permit tcp 192.168.50.0 255.255.255.0 any eq https
Create a service group ID (ID between 90-97 are user configurable), this references the ACLs defining the traffic to be redirected and which WSA is allowed to participate. NOTE – The Service ID defined on the AS must be the same number defined on the WSA.
wccp 90 redirect-list WCCP-REDIRECT group-list WCCP-WSA
Enable WCCP on the inside interface that would receive the web traffic from the client devices, reference the service group ID previously configured.
wccp interface INSIDE 90 redirect in
Verification
Once WCCP is enabled on the ASA and the WSA is configured for transparent proxy, perform some testing. From the CLI of the ASA, run the command show wccp this will confirm WCCP has been established between the ASA and the WSA and confirm packets being redirected.
Run the command show access-list to confirm matches against both ACLs – WCCP-WSA and WCCP-REDIRECT, this will confirm traffic is matching the ACL and being redirected.
Configure a packet capture on the ASA, to help determine the packet flow, the example below captures the GRE traffic between the ASA and WSA and web traffic from the host computer (192.168.50.10) and to/from the WSA (192.168.101.37).
capture WSA interface INSIDE match gre any any capture WSA interface INSIDE match ip host 192.168.101.37 any capture WSA interface INSIDE match ip host 192.168.50.10 any
From the output below, we can see the host computer (192.168.50.10) initiated a connection on tcp/80, followed by GRE communication between the ASA (192.168.178.25) which forwards the web request to the WSA (192.168.101.37), finally the WSA then proxied the request to the original destination.
IOS-XE Configuration
The following is important information related to configuring WCCP on a Cisco Catalyst switch.
- Redirection is L2.
- Redirect ACL permits or denies traffic to be redirected to the WSA
Transparent redirection should be setup on the WSA, in this instance Service ID.
Topology
The topology diagram below represents the packet flow when using WCCP configured on a Cisco Catalyst switch. WCCP is enabled on the user VLAN, any packet matched by the WCCP-REDIRECT ACL is redirected to the WSA. The WSA then proxies the internet request to the destination.
Switch Configuration
WCCP configuration on an IOS-XE device is similar to the ASA, using an ACL to match the traffic for redirection, enable a Service ID (this must match on the WSA) and enable WCCP on the VLAN. Typically, in a large environment WCCP would be enabled on an interface closer to the firewall, on an interface that egress traffic is routed through, rather than each SVI.
Define an extended ACL to define traffic to be redirected.
ip access-list extended WCCP-REDIRECT permit tcp 192.168.50.0 0.0.0.255 any eq www permit tcp 192.168.50.0 0.0.0.255 any eq 443
Create a WCCP Service ID, referencing the WCCP-REDIRECT ACL.
ip wccp 91 redirect-list WCCP-REDIRECT
Enable WCCP on the SVI
interface Vlan50 ip address 192.168.50.1 255.255.255.0 ip wccp 91 redirect in
Once the WSA and the switch have been configured, WCCP communication should be established.
Run the command show ip wccp 91 detail, we can confirm successful connectivity to the WSA (192.168.101.37) using L2 redirection.
From a client computer from a computer in the network defined in the WCCP-REDIRECT ACL and browse the internet, which should be successful.
Turn on WCCP debugs on the switch using the command debug ip wccp packets, we can confirm that the switch (192.168.101.254) used WCCP to redirect a packet to the WSA (192.168.101.37).
Templates
For templates to configure WCCP on ASA and IOS-XE devices, click here.
integrating IT 