Solved

WCCP on ASA & Bluecoat

Posted on 2013-06-17
4
1,176 Views
Last Modified: 2013-06-23
I am trying to use bluecoat proxy for web filtering. I have configured ASA with WCCP and wccp status is usable on both sides. ASA is redirecting the traffic to proxy. proxy client and bluecoat proxy are both in different DMZ zones but same physical interface.

gig0/1.100  192.168.100.100 Client IP
gig0/1.200  192.168.200.100 Proxy IP

appropriate access lists for client and proxy are configured.

proxy to client full ip access is open. I can see traffic reaching to bluecoat and bluecoat also sending returning traffic through GRE tunnel but somehow returning traffic is not reaching to client.

I captured traffic on ASA and i can see that ASA recieved GRE encapsulated returning traffic on gig0/1.200 but it is not passing to client on gig0/1.100.

Could you please help me to troubleshoot the problem.
0
Comment
Question by:Muhammad_Ashfaq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 39254464
There is a limitation with the WCCP implementation in the Cisco ASA. This limitation gives that your clients needs to be at the same firewall-leg as the WCCP-proxy. I cant see your topology out of your question but if the ASA is in the path between the clients and the Bluecoat, that is probably why it doesn´t work.

Best regards
Kvistofta
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 39255355
Hi Kvistofta,

Clients and proxy are connected directly to ASA. ASA interface gig0/1 is divided into two logical interfaces gig0/1.100 and gig0/1.200. Both interfaces have different security level and categorize as two DMZ Zones. If i keep client and proxy in same DMZ then wccp works fine. If i move clients to another DMZ then i can see proxy is sending return traffic to ASA which is gre encapsulated but ASA not sending that traffic to client.  Hope you understand the topology.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 39255522
Yes I understand your topology. Your clients and your proxy are on 2 different firewall interfaces since subinterfaces are treated like separate security zones.

So, your design is not supported by Cisco and you need to solve this in another way. Sorry.

regards
Kvistofta
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 39255525
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many benefits to finding online courses that align with your personal or career goals. Read more about our reasons for continuing your education in technology.
OnPage brings Secure Critical Messaging to Telemedicine.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question