cyber-security-resources/SCOR/wccp_and_pbr_to_wsa.md
2023-12-18 14:13:46 -05:00

2.0 KiB
Raw Permalink Blame History

Configuring WCCP or Policy-Based Routing to Send Traffic to WSA

Configuring WCCP on a Cisco Switch

Lets take a look on how to configure WCCP on a Cisco switch to redirect traffic to the Cisco Secure Web Appliance.

  1. Configure an access control list (ACL) to match the web traffic.
ip access-list extended WEB-TRAFFIC
 permit tcp 10.1.1.0 0.0.0.255 any eq www
 permit tcp 10.1.2.0 0.0.0.255 any eq www
 permit tcp 10.1.1.0 0.0.0.255 any eq 443
 permit tcp 10.1.2.0 0.0.0.255 any eq 443
  1. Configure another ACL to define where to send the traffic (that is, the Cisco Secure Web Appliances IP address).
ip access-list standard WSA
 permit 10.1.3.3
  1. Create the WCCP lists.
ip wccp web-cache redirect-list HTTP-TRAFFIC group-list WSA
ip wccp 10 redirect-list FTP-TRAFFIC group-list WSA
ip wccp 20 redirect-list HTTPS-TRAFFIC group-list WSA
  1. Configure the WCCP redirection of traffic on the source interface.
interface vlan88
 ip wccp web-cache redirect in
 ip wccp 10 redirect in
 ip wccp 20 redirect in

Traffic Redirection with Policy-Based Routing

You can also configure PBR on a Cisco router to redirect web traffic to the Cisco Secure Web Appliance.

Configuring PBR can affect the routers performance if enabled in software (without hardware acceleration). You should review the respective router documentation to determine any impact.

  • First, a PBR policy is configured in a Cisco router that matches traffic from two source subnets (10.1.1.0/24 and 10.1.1.2.0/24).
  • The web traffic is received on interface VLAN 88.
  • The traffic is sent to the Cisco Secure Web Appliance configured with IP address 10.1.2.3.
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 80
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 443
!
route-map WebRedirect permit 10
 match ip address 101
 set ip next-hop 10.1.3.3
interface vlan88
 ip policy route-map WebRedirect