Transparent TCP Proxy

Similar Messages

• Transparent local proxy on PC - possible?

  Hi, Is it possible to write a transparent local proxy? And if yes what approach / classes would one use? That is, write an application or service that would automatically pick up any requests heading outbound for Internet access (via a site proxy server in a DMZ or direct too if possible) then proxy them out to where they were heading. Ie to enable stats etc to be picked up.

  GregH wrote:
  Hi, Is it possible to write a transparent local proxy?A TCP proxy? Does it have to be transparent?
  pick up any requests heading outbound for Internet access Are you just talking HTTP here? (ports 80 and 443)

• How to determine if extend TCP proxy isn't running?

  I've setup a Coherence cluster using nodes Coh-A and Coh-B.  I have a TCP proxy running on both the nodes on port 9098.
  My application is able to the talk (i.e., both get and set) to the cluster through the TCP proxies.   All is fine when the coherence servers are up and running.  I was curious to see the behavior of the system when coherence servers are down.  My requirement is such that, it should have no impact on the system if coherence is down.  The application should instead bypass Coherence and go the database.  But this isn't happening (logs below).  Is there any way to check if the coherence server is reachable (up and running) before trying to access the cache from the application code?
  2013-11-13 16:30:12.060/1660.501 Oracle Coherence GE 3.7.1.0 <D5> (thread=[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', member=n/a): Connecting Socket to 10.246.28.18:9098
  2013-11-13 16:30:12.062/1660.502 Oracle Coherence GE 3.7.1.0 <Info> (thread=[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', member=n/a): Error connecting Socket to 10.246.28.18:9098: java.net.ConnectException: Connection refused
  2013-11-13 16:30:12.062/1660.502 Oracle Coherence GE 3.7.1.0 <D5> (thread=[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', member=n/a): Connecting Socket to 10.246.28.3:9098
  2013-11-13 16:30:12.063/1660.503 Oracle Coherence GE 3.7.1.0 <Info> (thread=[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', member=n/a): Error connecting Socket to 10.246.28.3:9098: java.net.ConnectException: Connection refused
  2013-11-13 16:30:12,117 [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] ERROR errors.GrailsExceptionResolver  - Exception occurred when processing request: [GET] /api/cafe/601272
  Stacktrace follows:
  com.tangosol.net.messaging.ConnectionException: could not establish a connection to one of the following addresses: [10.246.28.18:9098, 10.246.28.3:9098]; make sure the "remote-addresses" configuration element contains an address and port of a running TcpAcceptor
          at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.initiator.TcpInitiator.openConnection(TcpInitiator.CDB:120)
          at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.Initiator.ensureConnection(Initiator.CDB:11)
          at com.tangosol.coherence.component.net.extend.remoteService.RemoteCacheService.openChannel(RemoteCacheService.CDB:5)
          at com.tangosol.coherence.component.net.extend.RemoteService.ensureChannel(RemoteService.CDB:6)
          at com.tangosol.coherence.component.net.extend.remoteService.RemoteCacheService.createRemoteNamedCache(RemoteCacheService.CDB:12)
          at com.tangosol.coherence.component.net.extend.remoteService.RemoteCacheService.ensureCache(RemoteCacheService.CDB:27)
          at com.tangosol.coherence.component.util.SafeNamedCache$CacheAction.run(SafeNamedCache.CDB:3)
          at java.security.AccessController.doPrivileged(Native Method)
  Thanks,
  Anand

  Cant we catch the mentioned exception and if that appears we can redirect the query to database

• Best Performance: HTTP accelerator or generic tcp proxy

  Hi,
  We want to publish an application based on HTTPS. ( vmware view). Which would be a better choice, the HTTP accelerator, or the Generic TCP proxy, in terms of performance (lowest latency) ?
  Kind regards,
  Hen

  Hi,
  I am unable to identify a bottleneck.
  The proxy is generally performing fine, only the vmware view connection through generic TCP proxy shows a delay.
  Kind regards,
  Hen
  Originally Posted by phxazcraig
  In article <[email protected]>, Hennys wrote:
  > I had not yet done the tuneup.ncf. Have done it now, see if it makes
  > any difference. other things were already done according to tip 23.
  >
  The tuneup settings are from Novell, and they work together with proxy
  settings to allow the proxy to work faster, and handle heavier loads.
  Have a look at the proxy console statistics and see if you can get an
  idea if there is a bottleneck somewhere. Perhaps disk I/O. Perhaps a
  DNS server problem (check proxy console option 4).
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to Craig Johnson Consulting - BorderManager, NetWare, and More ***

• Generic TCP proxy: how to create Access rule ?

  Hi,
  I have configured a Generic TCP proxy on the public address, port 6300 of our bordermanager server that points to an internal server 192.168.10.148 on port 80. I have configured the filter exceptions for port 6300.
  I have also tried to create an ACL rule to give everyone on the internet access to the Generic TCP in different ways, but I'm unable to succeed. I can see in the proxy statistics, number of ACL denials increasing each time I try to connect so the problem is in the ACL rule.
  The rule I think should be right but isn't working is the following:
  Allow:
  source: host Ip Addresses:
  IP: equals any (the Internet)
  Destination: Host IP addresses:
  192.168.10.148 (the internal server)
  Origin server port:
  6300 (the port on the public interface on which the Generic TCP proxy is listening).
  What am I doing wrong ?

  hennys,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• New parameter "timeout tcp-proxy-reassembly" in ASA 8.2

  I couldn't find much in the config guide or web site for this. Can someone tell me which situations this would come into play? Here is the CLI help:
  "Configure idle timeout after which buffered packets waiting for reassembly in tcp-proxy are dropped"

  Hi.
  I've had a very interesting discussion with a TAC engineer about this command.
  The engineer mentions that, with this command, ASA behaves in the following way:
  When the ASA receive a fragmented data, it puts the fragments in the buffer to be able to reassemble it and then sent it. When the buffer exceed the limit, the ASA start dropping the reassemble packets so the reason for the packet drop is always the buffer limit exceed . by using the command “tcp-proxy-reassembly”, the ASA wait for an idle time which is determined by this command, the reason why we need this idle time is that the ASA after dropping the fragmented packet still keeps the connection in the conn table open waiting to reassemble the fragments and send it , but this will not happen as the fragment was dropped , so this will keep the connection in the conn table and exhaust the ASA memory by a lot of connections that are not really used.   After dropping the fragment the ASA waits for the timeout specified by the tcp-proxy-reassembly to delete the connection from the connection table.
  So in summary the ASA uses this command not to delete the fragment after the timeout , it uses this command to delete the connection after the drop of the fragment (which is caused by the buffer limit) with the time.
  So keep in mind when you use it.
  Best regards,
  Ernesto.

• Flex 3 - AMFPHP - Transparent Web Proxy

  Hello,
  I developed a Flex3 application with AMFPHP to communicate
  with PHP. At home no problem everything work but when I try to my
  office I have this type of error sometime :
  code:
  Channel.Call.Failed
  Message:
  error
  Detail:
  NetConnection.Call.Failed: HTTP: Failed
  I checked with the administor and this is an error with the
  transparent web proxy. (I work under MacOsX)
  I don't know if I can specify the proxy configuration
  somewhere. Please find below my service configuration file :
  <services-config>
  <services>
  <service id="amfphp-flashremoting-service"
  class="flex.messaging.services.RemotingService"
  messageTypes="flex.messaging.messages.RemotingMessage">
  <destination id="amfphp">
  <channels>
  <channel ref="my-amfphp"/>
  </channels>
  <properties>
  <source>*</source>
  </properties>
  </destination>
  </service>
  </services>
  <channels>
  <channel-definition id="my-amfphp"
  class="mx.messaging.channels.AMFChannel">
  <endpoint uri="
  http://www..nouveausens.fr/Services/gateway.php"
  class="flex.messaging.endpoints.AMFEndpoint"/>
  </channel-definition>
  </channels>
  </services-config>
  Someone had this problem ? or can help me ?
  Thanks a lot,
  Marc

  maybe because
  http://www..nouveausens.fr/Services/gateway.php
  has 2 points after
  http://www. :-)

• Flex - AMFPHP - Transparent Web Proxy

  Hello,
  I developed a Flex3 application with AMFPHP to communicate
  with PHP. At home no problem everything work but when I try to my
  office I have this type of error sometime :
  code:
  Channel.Call.Failed
  Message:
  error
  Detail:
  NetConnection.Call.Failed: HTTP: Failed
  I checked with the administor and this is an error with the
  transparent web proxy. (I work under MacOsX)
  I don't know if I can specify the proxy configuration
  somewhere. Please find below my service configuration file :
  <services-config>
  <services>
  <service id="amfphp-flashremoting-service"
  class="flex.messaging.services.RemotingService"
  messageTypes="flex.messaging.messages.RemotingMessage">
  <destination id="amfphp">
  <channels>
  <channel ref="my-amfphp"/>
  </channels>
  <properties>
  <source>*</source>
  </properties>
  </destination>
  </service>
  </services>
  <channels>
  <channel-definition id="my-amfphp"
  class="mx.messaging.channels.AMFChannel">
  <endpoint uri="
  http://www..nouveausens.fr/Services/gateway.php"
  class="flex.messaging.endpoints.AMFEndpoint"/>
  </channel-definition>
  </channels>
  </services-config>
  Someone had this problem ? or can help me ?
  Thanks a lot,
  Marc

  maybe because
  http://www..nouveausens.fr/Services/gateway.php
  has 2 points after
  http://www. :-)

• Generic TCP proxy?

  My ISP has a bad configured proxy under my connection, filtering HTTP (80).
  This means that many sites report me as banned, even If I never visited them. I wanted to know if exists something like a generic tcp proxy, to send all my conections there.
  I own a VPS server on lineo (london datacenter), and I have the idea of turning it in my personal proxy. Can I do it with iptables rules?
  I know the existence of squid, but I've heard its only HTTP, and also a madness to configure.
  suggestions?

  A VPN set as the default route would probably work. I imagine there are instructions on the wiki for this.
  You can also use tsocks + SSH. There is an option to force tsocks to load with every program.

• HTTP failed - Transparent web proxy

  Hello,
  I developped an application with Flex 3 B1, it works at my
  home but when I tried it in my office I have this type of message
  sometime
  code:
  Channel.Call.Failed
  Message:
  error
  Detail:
  NetConnection.Call.Failed: HTTP: Failed
  Sometime the application works, sometime not... I think this
  is a web proxy problem. I called the person in charge of this and
  for him some program cannot works with a transparent proxy.
  Somebody have the same problem ?
  Best regards,
  Marc

  Thank you Ken for you whitepaper.
  I read the configuration and it is mentioned that the IronPort and clients are not on the same interface (segment). I also read that the IronPort Appliance and clients must be on the same ASA interface to avoid passing trough the ASA itself again.
  Which of these two is right ?
  In my architecture I'm not able to set the IronPort on the same interface as clients (2 differents interfaces and subnet).
  I attached a document explaining the architecture
  My bad I saw that the WSA and clients are on the same ASA interface in the inside networks. Still, in my configuration is it possible to enable WCCP ?
  I also so that it is possible to implement a route-map which perfrom PBR by changing the next-hop ip for specific traffic but this function is not avalaible on ASA as i heard. Can anyone confirm that ?
  Ce message a été modifié par: Maxime GERGES

• Transparent Telnet Proxy

  If I don't use transparent proxy do I need to keep the filters put in
  by the BRDFCFG for telnet proxy? Do they affect anything being in
  there?
  Al

  Caterina Luppi wrote:
  > hi Al,
  >
  > you can remove the exceptions if you don't use the telnet proxy.
  Thanks Cat

• Extend TCP Proxy vs. Client load balancing

  I am unclear how proxy and client load balancing interact with respect to custom address providers. If I define my own address provider, and I do NOT set the load-balancer parameter to client in the client configuration, will the proxy still do load balancing of connections as described in http://docs.oracle.com/cd/E24290_01/coh.371/e22839/gs_configextend.htm#BEBCICDA ?
  Edited by: user5179040 on Mar 23, 2012 9:43 AM

  Hi,
  The <load-balancer> element is only configured in the <proxy-scheme> and not at the client side. This parameter "proxy" dictates the proxy to use the specified strategy for load balancing client connections across proxies. The parameter "client" offloads the responsibility of load balancing to client across proxies or randomly select proxies.
  I am unclear how proxy and client load balancing interact with respect to custom address providers. If I define my own address provider, and I do NOT set the load-balancer parameter to client in the client configuration, will the proxy still do load balancing of connections as described in http://docs.oracle.com/cd/E24290_01/coh.371/e22839/gs_configextend.htm#BEBCICDA ?
  Hope this helps!
  Cheers,
  NJ

• Upgrading from 8.4 to 9.1 issues (Transparent firewall)

  Firewall is in transparent mode.  At this time permit any any on trust to untrust and untrust to trust.  It works great in 8.4;  when I update the version to 9.1 it blocks all traffic yet nothing shows up in the monitoring mode.  Downgrade to 8.4 and all is fine again.  This is the simplest setup at this time and have it running in a lab.  ICMP is blocked.  All traffic is blocked and only occurs in 9.1

  Saved
  ASA Version 9.1(1)
  firewall transparent
  <--- More --->
  hostname ciscoasa
  enable password
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd
  names
  interface Ethernet0/0
  nameif TRUSTED
  bridge-group 1
  security-level 100
  interface Ethernet0/1
  nameif UNTRUSTED
  bridge-group 1
  security-level 0
  interface Ethernet0/2
  <--- More --->
  shutdown
  no nameif
  no security-level
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  interface Management0/0
  management-only
  shutdown
  nameif MGT
  security-level 100
  ip address 10.10.10.212 255.255.255.0
  interface BVI1
  ip address 10.10.2.250 255.255.255.0
  boot system disk0:/asa911-k8.bin
  ftp mode passive
  object-group network Trusated1
  object-group network Untrusted1
  object-group network Trusted
  <--- More --->
  object-group network Untrusted
  object-group network Call_MGR
  object-group network Trusted2
  object-group network Untrusted2
  object-group service DM_INLINE_SERVICE_1
  service-object ip
  object-group service DM_INLINE_SERVICE_2
  service-object ip
  access-list UNTRUSTED_access_in extended permit ip any any
  access-list UNTRUSTED_access_in extended permit ip any4 any4
  access-list TRUSTED_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu TRUSTED 1500
  mtu UNTRUSTED 1500
  mtu MGT 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  access-group TRUSTED_access_in in interface TRUSTED
  access-group UNTRUSTED_access_in in interface UNTRUSTED
  <--- More --->
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.10.10.156 255.255.255.255 MGT
  http 10.10.10.211 255.255.255.255 MGT
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 10.10.10.156 255.255.255.255 MGT
  ssh timeout 5
  console timeout 0
  <--- More --->
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  tftp-server MGT 10.10.10.162 C:\asa841-k8.bin
  username cisco password privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
  <--- More --->
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous prompt 1
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
  : end

• PC not getting IP in transparent ASA

  Hi everyone,
  ASA 505 is connected to layer 3 switch.
  ASA is in transparent mode.
  Layer 3 switch has SVI Vlan 20 and also it has dhcp server for vlan 20.
  PC connected to transparent switch  is not able to get the IP address from layer switch.
  I have config the ACL on outside interface of ASA to allow the DHCP reply coming from Switch.
  When i assign static IP to PC connected to port eth0/1 of ASA  it works fine.
  ciscoasa# sh run
  : Saved
  ASA Version 9.1(1)
  firewall transparent
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 13
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  no nameif
  no security-level
  interface Vlan13
  nameif inside
  bridge-group 1
  security-level 100
  interface Vlan20
  nameif Outside
  bridge-group 1
  security-level 0
  interface BVI1
  ip address 192.168.20.59 255.255.255.0
  boot system disk0:/asa911-k8.bin
  ftp mode passive
  object network Broadcast
  host 255.255.255.255
  object network Dhcp-Server
  host 192.168.20.3
  access-list inside_access_in extended permit ip any any
  access-list Outside_access_in extended permit udp object Dhcp-Server object Broa
  dcast eq bootpc log
  access-list inside_access_in_1 extended permit ip any any
  pager lines 24
  mtu Outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  access-group Outside_access_in in interface Outside
  access-group inside_access_in_1 in interface inside
  route Outside 0.0.0.0 0.0.0.0 192.168.20.3 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Outside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous prompt 2
  Cryptochecksum:cbcb87f40ea45d3bd0b6376e92b5fe8a
  : end
  ciscoasa#                                                                     $
  ciscoasa#
  Thanks
  mahesh
  Message was edited by: mahesh parmar

  Hi Jouni,
  It worked great as always.
  I got this ASA Security plus license few days back so trying to learn some concepts in home lab.
  Need to undertsand the reason for these 2 ACL
  1>access-list OUTSIDE-IN permit icmp host any echo
  i already have ICMP under global policy so why we use the above ACL?
  Also this ACL has hit counts to 0
  2>when we allowed ACL to allow BootPC reply from any host to broadcast address then we we need this second ACL?
  access-list OUTSIDE-IN permit udp host 192.168.20.0 255.255.255.0 eq bootpc
  This ACL has also hit count to 0
  Thanks
  mahesh
  Message was edited by: mahesh parmar

• ACNS and transparent FTP

  Hey all,
  I'm trying to understand one thing with regards to transparent FTP proxy (via WCCPv2) and passive-mode FTP.
  I realize that ACNS and routers have a special service group "60", which is used for native-ftp. However their documentaion is suspiciously lacking any technical details with regards to what traffic is sent to the cache-engine.
  What I was looking to find out is:
  When WCCP negotiates what traffic to redirect, typically the cache-engine tells the router what ports to redirect. Knowing that passive-FTP uses dynamic ports, does "service-group 60" somehow force the WCCP router to send all TCP ports to the ACNS cache-engine? Or is WCCP somehow stateful enough to only send the dynamically negotiated passive ports (which is hard to believe)?
  Thanks for any and all help!

  The WCCP ftp-native service in ACNS redirects TCP traffic destined to ports 21 and 40020.  Intercepting port 21 gives us the FTP control connection.  In the event that the client requests passive mode, ACNS tells the client (over the control connection) to establish a connection on tcp/40020.  Since this port is already defined as part of the ftp-native WCCP service, this gives us the data connection as well.
  If you're interested in checking what protocol/port(s) are defined as part of a WCCP service group, you can use the commands:
  show wccp services detail - Command on ACNS and WAAS devices
  show ip wccp service - Hidden IOS command, where is the numeric service ID for the service
  If you have any additional questions, please let us know.
  Regards,
  Zach