Solved

WCCP on ASA & Bluecoat

Posted on 2013-06-17
4
1,057 Views
Last Modified: 2013-06-23
I am trying to use bluecoat proxy for web filtering. I have configured ASA with WCCP and wccp status is usable on both sides. ASA is redirecting the traffic to proxy. proxy client and bluecoat proxy are both in different DMZ zones but same physical interface.

gig0/1.100  192.168.100.100 Client IP
gig0/1.200  192.168.200.100 Proxy IP

appropriate access lists for client and proxy are configured.

proxy to client full ip access is open. I can see traffic reaching to bluecoat and bluecoat also sending returning traffic through GRE tunnel but somehow returning traffic is not reaching to client.

I captured traffic on ASA and i can see that ASA recieved GRE encapsulated returning traffic on gig0/1.200 but it is not passing to client on gig0/1.100.

Could you please help me to troubleshoot the problem.
0
Comment
Question by:Muhammad_Ashfaq
  • 3
4 Comments
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
There is a limitation with the WCCP implementation in the Cisco ASA. This limitation gives that your clients needs to be at the same firewall-leg as the WCCP-proxy. I cant see your topology out of your question but if the ASA is in the path between the clients and the Bluecoat, that is probably why it doesn´t work.

Best regards
Kvistofta
0
 

Author Comment

by:Muhammad_Ashfaq
Comment Utility
Hi Kvistofta,

Clients and proxy are connected directly to ASA. ASA interface gig0/1 is divided into two logical interfaces gig0/1.100 and gig0/1.200. Both interfaces have different security level and categorize as two DMZ Zones. If i keep client and proxy in same DMZ then wccp works fine. If i move clients to another DMZ then i can see proxy is sending return traffic to ASA which is gre encapsulated but ASA not sending that traffic to client.  Hope you understand the topology.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
Comment Utility
Yes I understand your topology. Your clients and your proxy are on 2 different firewall interfaces since subinterfaces are treated like separate security zones.

So, your design is not supported by Cisco and you need to solve this in another way. Sorry.

regards
Kvistofta
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Whether you believe the “gig economy,” as it has been dubbed, is the next big economic paradigm shift (https://www.theguardian.com/commentisfree/2015/jul/26/will-we-get-by-gig-economy) or an overstated trend (http://www.wsj.com/articles/proof-of-a-g…
It can often be challenging to stay relevant in the rapidly evolving world of technology. This can make recruiting talent difficult for companies of all sizes.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now