KB Article | Forcepoint Support

Notes & Warnings

Note When using WCCP direct to the ASA firewall, hotfixes are now available for versions 8.3-8.5 to enable the use of ARM Static Bypass for bypassing IP addresses:
 

Problem Description

WCCP redirection does not work when Websense Content Gateway (WCG) and client network are behind different interfaces of the redirecting ASA.

Resolution

Due to the secure nature of Cisco firewalls, they treat each interface as a separate security zone. This creates certain unique limitations to how WCCP redirection can be performed.

From the Cisco documentation:
WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance.

See Cisco's  ASA 5500 Series Configuration Guide for further detail.

How the Redirection Loop happens:

When a site is bypassed in Web Content Gateway, the proxy will forward the client request with the original source IP address. The ASA firewall redirecting the traffic is above the proxy. As a result, the firewall will receive the retransmitted frame from the proxy and redirect it back to the proxy for processing creating a network loop.

For example:
  1. Log on to Web Content Gateway.
  2. Click Configure > Networking > ARM >Static Bypass.
  3. Type a Source IP, with no destination, for a test machine.
  4. Open a browser and attempt to navigate to a URL. For example, http://theoldpurple.com/
  5. If the site cannot be resolved, then ARM Static Bypass cannot be used due to the redirection loop.
Note Any form of source IP spoofing (ARM Bypass or the IP Spoofing feature itself) at this time is not supported by the ASA. Traffic from the WCG in this instance must bypass the ASA.

Review WCCP Sample Configuration for Cisco firewalls for additional information.




Keywords: wccp; wccp redirection; wccp limitation; cisco asa; firewall redirect; static bypass

Article Feedback



Thank you for the feedback and comments.