Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

WCCP on ASA & Bluecoat

Posted on 2013-06-17
4
Medium Priority
?
1,212 Views
Last Modified: 2013-06-23
I am trying to use bluecoat proxy for web filtering. I have configured ASA with WCCP and wccp status is usable on both sides. ASA is redirecting the traffic to proxy. proxy client and bluecoat proxy are both in different DMZ zones but same physical interface.

gig0/1.100  192.168.100.100 Client IP
gig0/1.200  192.168.200.100 Proxy IP

appropriate access lists for client and proxy are configured.

proxy to client full ip access is open. I can see traffic reaching to bluecoat and bluecoat also sending returning traffic through GRE tunnel but somehow returning traffic is not reaching to client.

I captured traffic on ASA and i can see that ASA recieved GRE encapsulated returning traffic on gig0/1.200 but it is not passing to client on gig0/1.100.

Could you please help me to troubleshoot the problem.
0
Comment
Question by:Muhammad_Ashfaq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 39254464
There is a limitation with the WCCP implementation in the Cisco ASA. This limitation gives that your clients needs to be at the same firewall-leg as the WCCP-proxy. I cant see your topology out of your question but if the ASA is in the path between the clients and the Bluecoat, that is probably why it doesn´t work.

Best regards
Kvistofta
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 39255355
Hi Kvistofta,

Clients and proxy are connected directly to ASA. ASA interface gig0/1 is divided into two logical interfaces gig0/1.100 and gig0/1.200. Both interfaces have different security level and categorize as two DMZ Zones. If i keep client and proxy in same DMZ then wccp works fine. If i move clients to another DMZ then i can see proxy is sending return traffic to ASA which is gre encapsulated but ASA not sending that traffic to client.  Hope you understand the topology.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 2000 total points
ID: 39255522
Yes I understand your topology. Your clients and your proxy are on 2 different firewall interfaces since subinterfaces are treated like separate security zones.

So, your design is not supported by Cisco and you need to solve this in another way. Sorry.

regards
Kvistofta
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 39255525
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Live is the evolution of Q&A. Get your technology problems solved instantly by connecting with technology experts instantly. Pair programming has never been easier.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question