The Cisco ASA is commonly being used to replace PIX firewalls in networks. It is important to understand its WCCP support (similar to PIX). Below is a brief review:
The following WCCPv2 features are supported with the ProxySG:
- Redirection of multiple TCP/UDP port-destined traffic.
- Authentication for cache engines in a service group.
- Multiple proxies in a service group is still supported.
The following WCCPv2 features are not supported with the ProxySG:
- Multiple routers in a service group is not supported.
- Multicast WCCP is not supported.
- The Layer2 (L2) redirect method is not supported; only GRE encapsulation is supported.
- WCCP source address spoofing.
- Use an access-list to exclude the IP addresses of proxies from being redirected by WCCP.
- Proxies cannot support spoofing of client IPs (reflect client IP) with basic WCCP configurations (For instructions on additional configurations needed to support it, see WCCP Reference Guide).
- Disable Return-to-sender inbound via the ProxySG CLI. This ensures that response packets are sent to the client, rather than to the ASA. See 000014580 for more information on Return To Sender, or the Command Line Interface guide for the version of SGOS you're running, available at https://support.symantec.com/en_US/Documentation.html.
- In the ProxySG WCCP configuration, set affinity to 'server', as 'client' mode will cause the ProxySG Appliance to drop WCCP redirected packets from the ASA..
If the traffic from users is hitting fa1/1 on the ASA, and the WCCP redirection is running on the fa1/1 interface, then that WCCP process can only redirect to an SG that is behind that fa1/1 interface. You can get around this issue by connecting multiple interfaces on the ProxySG and running separate WCCP processes.