ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

What features of Cisco ASA are supported with WCCP

book

Article ID: 167239

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

What features of Cisco ASA are supported with WCCP
Cisco ASA and WCCP
You want to know what features of Cisco ASA are supported with WCCP

Resolution

The Cisco ASA is commonly being used to replace PIX firewalls in networks. It is important to understand its WCCP support (similar to PIX). Below is a brief review:

The following WCCPv2 features are supported with the ProxySG:

 

  • Redirection of multiple TCP/UDP port-destined traffic.
  • Authentication for cache engines in a service group.
  • Multiple proxies in a service group is still supported.

    The following WCCPv2 features are not supported with the ProxySG:

     
  • Multiple routers in a service group is not supported.
  • Multicast WCCP is not supported.
  • The Layer2 (L2) redirect method is not supported; only GRE encapsulation is supported.
  • WCCP source address spoofing.

    Installation caveats:
     
  • Use an access-list to exclude the IP addresses of proxies from being redirected by WCCP.
  • Proxies cannot support spoofing of client IPs (reflect client IP) with basic WCCP configurations (For instructions on additional configurations needed to support it, see WCCP Reference Guide).
  • Disable Return-to-sender inbound via the ProxySG CLI.  This ensures that response packets are sent to the client, rather than to the ASA. See 000014580 for more information on Return To Sender, or the Command Line Interface guide for the version of SGOS you're running, available at https://support.symantec.com/en_US/Documentation.html.
  • In the ProxySG WCCP configuration, set affinity to 'server', as 'client' mode will cause the ProxySG Appliance to drop WCCP redirected packets from the ASA..

Limitation

   If the traffic from users is hitting  fa1/1 on the ASA, and the WCCP redirection is running on the fa1/1 interface, then that WCCP process can only redirect to an SG that is behind that fa1/1 interface. You can get around this issue by connecting multiple interfaces on the ProxySG and running separate WCCP processes.