Redirection limitations for WCCP on Cisco ASA
- Article Number: 000002186
- Products: Forcepoint V10000 Appliance, Forcepoint V5000 Appliance, Forcepoint Virtual Appliance, Forcepoint Web Security, TRITON AP-WEB, Web Filter & Security, Web Security Gateway, Web Security Gateway Anywhere, Web Security and Web Filter
- Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.1, 7.0
- Last Published Date: July 10, 2020
Notes & Warnings
WCCP redirection does not work when Websense Content Gateway (WCG) and client network are behind different interfaces of the redirecting ASA.
Due to the secure nature of Cisco firewalls, they treat each interface as a separate security zone. This creates certain unique limitations to how WCCP redirection can be performed.
From the Cisco documentation:
WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance.
See Cisco's ASA 5500 Series Configuration Guide for further detail.
How the Redirection Loop happens:
When a site is bypassed in Web Content Gateway, the proxy will forward the client request with the original source IP address. The ASA firewall redirecting the traffic is above the proxy. As a result, the firewall will receive the retransmitted frame from the proxy and redirect it back to the proxy for processing creating a network loop.
Review WCCP Sample Configuration for Cisco firewalls for additional information.
Keywords: wccp; wccp redirection; wccp limitation; cisco asa; firewall redirect; static bypass