h4cker/SCOR/wccp_and_pbr_to_wsa.md

61 lines
2.0 KiB
Markdown
Raw Normal View History

2023-12-18 19:13:46 +00:00
# Configuring WCCP or Policy-Based Routing to Send Traffic to WSA
## Configuring WCCP on a Cisco Switch
Lets take a look on how to configure WCCP on a Cisco switch to redirect traffic to the Cisco Secure Web Appliance.
1. Configure an access control list (ACL) to match the web traffic.
```
ip access-list extended WEB-TRAFFIC
permit tcp 10.1.1.0 0.0.0.255 any eq www
permit tcp 10.1.2.0 0.0.0.255 any eq www
permit tcp 10.1.1.0 0.0.0.255 any eq 443
permit tcp 10.1.2.0 0.0.0.255 any eq 443
```
2. Configure another ACL to define where to send the traffic (that is, the Cisco Secure Web Appliances IP address).
```
ip access-list standard WSA
permit 10.1.3.3
```
3. Create the WCCP lists.
```
ip wccp web-cache redirect-list HTTP-TRAFFIC group-list WSA
ip wccp 10 redirect-list FTP-TRAFFIC group-list WSA
ip wccp 20 redirect-list HTTPS-TRAFFIC group-list WSA
```
4. Configure the WCCP redirection of traffic on the source interface.
```
interface vlan88
ip wccp web-cache redirect in
ip wccp 10 redirect in
ip wccp 20 redirect in
```
## Traffic Redirection with Policy-Based Routing
You can also configure PBR on a Cisco router to redirect web traffic to the Cisco Secure Web Appliance.
Configuring PBR can affect the routers performance if enabled in software (without hardware acceleration). You should review the respective router documentation to determine any impact.
- First, a PBR policy is configured in a Cisco router that matches traffic from two source subnets (10.1.1.0/24 and 10.1.1.2.0/24).
- The web traffic is received on interface VLAN 88.
- The traffic is sent to the Cisco Secure Web Appliance configured with IP address 10.1.2.3.
```
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 80
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 443
!
route-map WebRedirect permit 10
match ip address 101
set ip next-hop 10.1.3.3
interface vlan88
ip policy route-map WebRedirect
```