Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

WCCP on ASA & Bluecoat

Posted on 2013-06-17
4
Medium Priority
?
1,246 Views
Last Modified: 2013-06-23
I am trying to use bluecoat proxy for web filtering. I have configured ASA with WCCP and wccp status is usable on both sides. ASA is redirecting the traffic to proxy. proxy client and bluecoat proxy are both in different DMZ zones but same physical interface.

gig0/1.100  192.168.100.100 Client IP
gig0/1.200  192.168.200.100 Proxy IP

appropriate access lists for client and proxy are configured.

proxy to client full ip access is open. I can see traffic reaching to bluecoat and bluecoat also sending returning traffic through GRE tunnel but somehow returning traffic is not reaching to client.

I captured traffic on ASA and i can see that ASA recieved GRE encapsulated returning traffic on gig0/1.200 but it is not passing to client on gig0/1.100.

Could you please help me to troubleshoot the problem.
0
Comment
Question by:Muhammad_Ashfaq
  • 3
4 Comments
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 39254464
There is a limitation with the WCCP implementation in the Cisco ASA. This limitation gives that your clients needs to be at the same firewall-leg as the WCCP-proxy. I cant see your topology out of your question but if the ASA is in the path between the clients and the Bluecoat, that is probably why it doesn´t work.

Best regards
Kvistofta
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 39255355
Hi Kvistofta,

Clients and proxy are connected directly to ASA. ASA interface gig0/1 is divided into two logical interfaces gig0/1.100 and gig0/1.200. Both interfaces have different security level and categorize as two DMZ Zones. If i keep client and proxy in same DMZ then wccp works fine. If i move clients to another DMZ then i can see proxy is sending return traffic to ASA which is gre encapsulated but ASA not sending that traffic to client.  Hope you understand the topology.
0
 
LVL 17

Accepted Solution

by:
Jimmy Larsson, CISSP, CEH earned 2000 total points
ID: 39255522
Yes I understand your topology. Your clients and your proxy are on 2 different firewall interfaces since subinterfaces are treated like separate security zones.

So, your design is not supported by Cisco and you need to solve this in another way. Sorry.

regards
Kvistofta
0
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 39255525
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
With the shift in today’s hiring climate (http://blog.experts-exchange.com/ee-blog/5-tips-on-succeeding-in-the-new-gig-economy/?cid=Blog_031816), many companies are choosing to hire freelancers to get projects completed efficiently and inexpensively…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question