Redirection limitations for WCCP on Cisco ASA
- Article Number: 000002186
- Products: Forcepoint V10000 Appliance, Forcepoint V5000 Appliance, Forcepoint Virtual Appliance, Forcepoint Web Security, TRITON AP-WEB, Web Filter & Security, Web Security Gateway, Web Security Gateway Anywhere, Web Security and Web Filter
- Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.1, 7.0
- Last Published Date: October 17, 2018
Notes & Warnings
Note When using WCCP direct to the ASA firewall, hotfixes are now available for versions 8.3-8.5 to enable the use of ARM Static Bypass for bypassing IP addresses.
WCCP redirection does not work when Websense Content Gateway (WCG) and client network are behind different interfaces of the redirecting ASA.
Due to the secure nature of Cisco firewalls, they treat each interface as a separate security zone. This creates certain unique limitations to how WCCP redirection can be performed.
From the Cisco documentation:
WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance.
See Cisco's ASA 5500 Series Configuration Guide for further detail.
How the Redirection Loop happens:
When a site is bypassed in Websense Content Gateway, the proxy will forward the client request with the original source IP address. The ASA firewall redirecting the traffic is above the proxy. As a result, the firewall will receive the retransmitted frame from the proxy and redirect it back to the proxy for processing creating a network loop.
Review WCCP Sample Configuration for Cisco firewalls for additional information.