Transparent mode with WCCP v2

Similar Messages

• Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?

  Hello !
  I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ? 
  If yes, how to do this ? 
  Thank you,
  Stephane Walker

  Hi Stephane
  The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well. 
  Sample configuration for Cisco router
  access-list 110 permit tcp any any eq www
  route-map proxy-redirect permit 10
  match ip address 110
  set ip next-hop xxx.xxx.xxx.xxx
  interface ethernet0/1
  ip policy route-map proxy-redirect
  xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.
  The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.
  Routers other than Cisco equipment should also have an option to configure policy based routing.
  /Artur
  Ps. It's not possible to place the WSA in-line between clients and the internet.

• Transparent Mode using WCCP v2

  Dear All,
  Greetings. Please correct me if I am wrong. When to use GRE and when to use L2 redirection is depends on the router/switch?
  What are the parameters to be configured in Transparent Redirection 'Load-Balacing Method' and 'Forwarding Method' when using GRE?
  Please help me to understand more on GRE and L2 redirection when in transparent mode, and configuration in S-Series.
  Many Thanks,
  ezekiel

  Ezekiel,
  L2 is the preferred method when possible, since GRE adds an extra 28 bytes of overhead. For L2 to be possible, the WSA must be directly connected to the router / WCCP device.
  If the WSA is more then 1 hop away, GRE MUST be used.
  The major difference between Hashing and Masking is that if Masking is supported, the router / switch will consume less CPU building the load balancing tables.
  It's recommended that you set the WSA to use "Hashing or Masking". The WSA will then negotiate with the WCCP router which to use. If your router supports both, Masking is preferred.
  Hope this helps.
  Please help regarding WCCP v2.
  My company had 2 routers & 2 WSA. Each WSA is directly connected to the each router.
  Can I use both WCCP L2 & GRE? If possible, can give some examples?

• Failure when FWSM in transparent mode with multiple contexts

  hi experts,
              We have two FWSMs working in active/standby state,  configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet. 
              Now we have one FWSM broken and the RMA part can't arrived in short time, so  we have the risk that the sencond FWSM could be failed as well.   In the worst case if the two was broken or powered off simultaneously,   i wonder that if the communications between multiple contexts could be ok???
  thanks in advance.

  The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• ASA transparent mode with secondary IP on the router

  Hi
  I have
  Router --- ASA (Transparent)----Switch
  and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
  so there is plenty of room in terms of LAN IP range.
  Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
  hope I do not have to change anything on the ASA.
  Thanks

  ASA in transparant mode work as L2 device
  so what ever ips u use dosent matter
  u dont need to change anything in the ASA while it is in transperant mod
  but be careful of what is allowed to be passed through the firewall
  u can control it by ACLs
  the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
  so they shoud be in the same subnet VLAN and so on
  good lcuk
  please, if helpful rate

• Firewall Transparent Mode with IPS

    Dear All,
  I have network setup shown below
  Router --- Firewall Transparent Mode --- cisco layer 3 switch
  I am planning to implement ips. Which is the right place to put the IPS
  IPS is separate hardware. Let me know on which mode IPS has to be enabled? Rgds - pramod

  Hello,
  If you have the separate hardware of IPS then, place the IPS in between Router and firewall.
  you can use the IPS in inline and promiscuous mode.
  In inline mode all traffic will pass through the IPS first then after inspection will move to firewall.
  And if you are using the IPS in promiscuous mode then the copy of traffic will send to the IPS and after that inspection will done.
  Thanks.

• Config transparent Proxy with LDAP authen with L4 switch?

  How to config policy based routing on L4 switch if wsa run in transparent mode with LDAP authentication?
  Async OS: 5.1.0-420
  Thank you,
  Thanapol

  Ezekiel,
  I wanted to add some clarification to your comments:
  1) Network TAP connected to T1/T2.
  This will work good. You will need to tap one direction of traffic to the T1 port and the other direction in to the T2 interface.
  2) L4 switch connected to P1.
  This will NOT work. Further explaination below. What you can do is use a switch that supports port spanning / port mirroring. You'll need to send a COPY of all traffic going to gateway to the T1 interface.
  The L4TM will need to be in 'duplex' mode - Configurable in the GUI.
  3) WCCP v2 connected to P1.
  WCCP cannot be used at all with the L4TM, because WCCP doesn't 'copy' the traffic, it redirects it.
  L4TM information
  The L4TM can be thought of as a completely seperate appliance that operates primarily via the t1 / t2 interfaces.
  The L4TM is a sniffer application, meaning that you cannot redirect traffic to it (such as L4 switching PBR or WCCP), but you can send a copy of traffic to it (port mirroring or physical tap).
  If you are blocking with the L4TM, the WSA will use M1/P1 to send the TCP RST packets. This is the ONLY use for the M1/P1 interfaces that the L4TM will use.
  The P1 interface is intended to be used for Web proxy traffic and the L4TM does not listen on this interface.

• ASA5510 - LACP in Transparent Mode

  Hello all,
  I understand that in transparent mode an ASA5510 would only be able to have two interfaces, inside and outside.
  My question is could one of those logical interfaces be an LACP'd interface, made up of two physical interfaces. Topology below.
  I understand that the router and ASA5510 are SPOF here, so it is a bit of a moot point, but we're connecting already existing infrastructures together!
  |-------–---|      |---------|        
  | Switch 1  |------|         |        
  |-----------|      | ASA5510 |         |----------|
       | |           | (transp |---------|  Router  |
  |-------–---|      |  mode)  |         |----------|
  | Switch 2  |------|         |        
  |-----------|      |---------|        

  Configuring Cisco ASA Service Appliance in Transparent Mode with vPCSince Release 8.4, Cisco ASA 5500 Series Adaptive Security Appliance solution supports Link Aggregation ControlProtocol (LACP). ASA port-channel contains up to eight active member ports.Supported LACP modes are: ACTIVE, PASSIVE, and ON (ON means manual ports bundling i.e not using dynamicport-channeling control protocol).ASA can be configured in transparent or routed mode. Both modes are supported when integrating ASA with CiscoNexus 7000 Series vPC.
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
  Page 87-88

• Cisco 2960S Configured in Transparent mode

  I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?

  If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue. 
  I'd be keen to know if you have a firewall blocking anything from the IP address of the printer?  Maybe the IP subnet mask or default gateway of the printer is not working?  
  What do you get when you do a "sh mac-address interface <PRINTER port>"?

• FWSM in Transparent mode help

  Hi all,
  i am actually designing for a new solution based on 6509 Switch with FWSM module, here is what i have :
  FWSM will be used in Transparent mode with two bridge group : 1 , 2 as mentioned on the image, i wonder if this is a correct deisgn or not, is this will work with no probleme with these two trunk links ?
  i've seen on the guidelines of this url :
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwmode.html#wp1184961
  "The transparent FWSM uses an inside interface and an outside interface only. "
  is it applicable in my case,
  any other information will be welcome.
  Thanks for help

  Hi,this is sample configuration.
  6509A:
  vlan 256
  name FWoutside
  int vlan 256
  ip addr 98.1.1.252 255.255.255.0
  6509B:
  vlan 255
  name FWinside
  int vlan 255
  ip addr 98.1.1.251 255.255.255.0
  firewall module 3 vlan-group 16,32
  firewall vlan-group 16 255
  firewall vlan-group 32 256
  FW:
  firewall transparent
  nameif vlan256 outside security0
  nameif vlan255 inside security100
  access-list ACL_IN extended permit ip any any
  access-group ACL_IN in interface outside
  access-group ACL_IN in interface inside
  6509B:
  6509B#ping 98.1.1.252
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 98.1.1.252, timeout is 2 seconds:
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
  6509B#

• ASA 8.4 transparent mode active/active questions

  Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
  1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
  2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
  3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
  Thanks for your replies

  Hello,
  1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
  You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
  2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
  You can configure up to 8 bridge groups per context to achieve this.
  3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
  Active/Active failover is only possible in multiple context mode.
  Hope that helps.
  -Mike

• VRF issue with Firewall in transparent Mode.

  Hi Guys,
  I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
  I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
  My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.

  I have taken following output from Firewall will this be any help?
  sh interface ouTSIDE
  Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
    Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
          Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
          Input flow control is unsupported, output flow control is off
          MAC address 7c69.f68f.df78, MTU 1500
          IP address 175.4.8.35, subnet mask 255.255.255.248
          8435 packets input, 680680 bytes, 0 no buffer
          Received 8135 broadcasts, 0 runts, 0 giants
          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
          0 pause input, 0 resume input
          8138 L2 decode drops
          0 packets output, 0 bytes, 0 underruns
          0 pause output, 0 resume output
          0 output errors, 0 collisions, 1 interface resets
          0 late collisions, 0 deferred
          0 input reset drops, 0 output reset drops
          input queue (blocks free curr/low): hardware (476/461)
          output queue (blocks free curr/low): hardware (511/511)
    Traffic Statistics for "OUTSIDE":
          297 packets input, 118503 bytes
          0 packets output, 0 bytes
          297 packets dropped
        1 minute input rate 0 pkts/sec,  13 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  6 bytes/sec
        5 minute output rate 0 pkts/sec,  0 bytes/sec
        5 minute drop rate, 0 pkts/sec
  ciscoasa# show asp drop
  Frame drop:
    FP L2 rule drop (l2_acl)                                                   297
  ASA Version 9.0(1)
  firewall transparent
  ciscoasa# show module all
  Mod Card Type                                    Model              Serial No.
    0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545           
  ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS       
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    0 7c69.f68f.df77 to 7c69.f68f.df80  1.0          2.1(9)8      9.0(1)
  ips 7c69.f68f.df75 to 7c69.f68f.df75  N/A          N/A          7.1(4)E4
  Mod SSM Application Name           Status           SSM Application Version
  ips IPS                            Up               7.1(4)E4
  Mod Status             Data Plane Status     Compatibility
    0 Up Sys             Not Applicable
  ips Up                 Up
  Mod License Name   License Status  Time Remaining
  ips IPS Module     Enabled         perpetual
  ciscoasa#
  I have create Ehtertype ACL and permit any traffic.
  cdp traffic has passed through but I am still not able to ping :(

• INPUT textfield does not show non-English letters with transparent mode

  INPUT textfield does not show non-English letters when i
  type, if transparent mode turn on
  this is bug of Flash Player 9?
  will this bug had be fixed?

  I just tested Firefox and Chrome on linux, i doesn't work either, but i get different weird chars: éèça
  However, on both mac and linux, if i copy the chars and paste them in the input field, it passes.

• Squid array in transparent mode

  Hello Netpros,
  I know the CSS is perhaps a little bit out of date, but there's still a lot of boxes running out there in the field.
  Is there a way (L2 or L3) to manage load balancing between web clients with no proxy configured and an array of squid servers configured in transparent mode.
  There are no SCAs and WCCP is not available on the squids
  Thank you for you cooperation
  Andrea

  You can operate in bridged mode which will separate the client from thier gatway at a layer 2 level.  Create a vip that matches all traffic (0.0.0.0 for tcp/udp or both) and point them to the squid proxies as a transparent service. 
  service Squid1
    ip address 172.16.35.11
    type transparent-cache
    active
  owner L2Caches
    content L2
      vip address 0.0.0.0
      add service Squid1
      protocol tcp
      active
  Regards,
  Chris Higgins