Configure WCCP redirection to Squid on Cisco ASA¶
In order to configure WCCP redirection open administrator console on Cisco ASA and perform the following configuration steps.
Configure Squids participating in WCCP¶
In order to configure the list of proxies that participate in WCCP redirection use the following commands. Please note here we assume that there is one proxy in our network. However, it is possible to have any number of proxies (not only one); the router will distribute the load among all of them providing high availability and scaling.
!
! squid servers (object group and access list)
!
object-group network wccp-servers-group
description Squid servers for WCCP
network-object host 192.168.6.15
access-list wccp-servers extended permit ip object-group wccp-servers-group any
Hosts excluded and included into WCCP¶
It is possible to exclude some hosts from being redirected. The following commands show how to configure it. Here we have a host 192.168.6.100 that is excluded from WCCP. All other hosts in subnet 192.168.6.0/24 are included into WCCP redirection.
!
! hosts excluded from WCCP
!
object-group network wccp-exclude-group
description hosts excluded from WCCP
network-object host 192.168.6.100
!
! hosts included into WCCP
!
object-group network wccp-traffic-group
description hosts included into WCCP
network-object 192.168.6.0 255.255.255.0
Configure WCCP access list¶
List of proxies configured above, excluded and included hosts are then assigned to the access list wccp-traffic like the following. This access list bypasses proxy server and excluded hosts from WCCP redirection and forces traffic from all other hosts/subnet to be WCCP redirected.
!
! access list to include/exclude traffic for WCCP
!
access-list wccp-traffic extended deny ip object-group wccp-servers-group any
access-list wccp-traffic extended deny ip object-group wccp-exclude-group any
access-list wccp-traffic extended permit ip object-group wccp-traffic-group any
Enable WCCP redirection¶
Finally we need to enable and activate WCCP redirection for HTTP and HTTPS traffic. Please note how earlier defined wccp-servers and wccp-traffic access lists are referenced from configuration commands.
!
! enable WCCP redirection for HTTP and HTTPS traffic
!
wccp web-cache redirect-list wccp-traffic group-list wccp-servers password cisco
wccp 70 redirect-list wccp-traffic group-list wccp-servers password cisco
!
! and activate it on the inside interface
!
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in
Danger
Please note the inside in the activation command above is the name of the virtual interface on Cisco ASA (default vlan1). If you setup WCCP redirection for another virtual interface please put the correct name here!
Disable WCCP redirection¶
If you ever need to temporary disable the WCCP redirection run the following commands in Cisco ASA admin console.
no wccp interface inside web-cache redirect in
no wccp interface inside 70 redirect in
Check status of WCCP redirection¶
After WCCP redirection is enabled and activated in Web Safety UI, the proxy will register themselves in the Cisco ASA. Registration is usually done/refreshed each 10 seconds. The following command on Cisco ASA will show the status of WCCP registration and redirection.
show wccp
The output will look something like the following screenshot.
Danger
Please note the Cisco Router ID shown in red on the screenshot. This Router ID will be needed on the following step when configuring the GRE redirection tunnel on proxy box.