Solved

WCCP on ASA & Bluecoat

Posted on 2013-06-17
4
1,135 Views
Last Modified: 2013-06-23
I am trying to use bluecoat proxy for web filtering. I have configured ASA with WCCP and wccp status is usable on both sides. ASA is redirecting the traffic to proxy. proxy client and bluecoat proxy are both in different DMZ zones but same physical interface.

gig0/1.100  192.168.100.100 Client IP
gig0/1.200  192.168.200.100 Proxy IP

appropriate access lists for client and proxy are configured.

proxy to client full ip access is open. I can see traffic reaching to bluecoat and bluecoat also sending returning traffic through GRE tunnel but somehow returning traffic is not reaching to client.

I captured traffic on ASA and i can see that ASA recieved GRE encapsulated returning traffic on gig0/1.200 but it is not passing to client on gig0/1.100.

Could you please help me to troubleshoot the problem.
0
Comment
Question by:Muhammad_Ashfaq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 39254464
There is a limitation with the WCCP implementation in the Cisco ASA. This limitation gives that your clients needs to be at the same firewall-leg as the WCCP-proxy. I cant see your topology out of your question but if the ASA is in the path between the clients and the Bluecoat, that is probably why it doesn´t work.

Best regards
Kvistofta
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 39255355
Hi Kvistofta,

Clients and proxy are connected directly to ASA. ASA interface gig0/1 is divided into two logical interfaces gig0/1.100 and gig0/1.200. Both interfaces have different security level and categorize as two DMZ Zones. If i keep client and proxy in same DMZ then wccp works fine. If i move clients to another DMZ then i can see proxy is sending return traffic to ASA which is gre encapsulated but ASA not sending that traffic to client.  Hope you understand the topology.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 39255522
Yes I understand your topology. Your clients and your proxy are on 2 different firewall interfaces since subinterfaces are treated like separate security zones.

So, your design is not supported by Cisco and you need to solve this in another way. Sorry.

regards
Kvistofta
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 39255525
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you want to move up through the ranks in your technology career, talent and hard work are the bare necessities. But they aren’t enough to make you stand out. Expanding your skills, actively promoting your accomplishments and using promotion st…
With the shift in today’s hiring climate (http://blog.experts-exchange.com/ee-blog/5-tips-on-succeeding-in-the-new-gig-economy/?cid=Blog_031816), many companies are choosing to hire freelancers to get projects completed efficiently and inexpensively…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question