[c-nsp] Help with Cisco ASA w/CSC-SSM and WCCP Configuration..

Howard Leadmon howard at leadmon.net
Sun Aug 30 18:38:13 EDT 2009 

  I figured I would post here and see if anyone has set this up before, and
come across a decent solution for the issue I am currently trying to work
through.

 

 First off I have a Cisco ASA-5510 with the CSC-SSM-10 module installed in
it.  The ASA is running the most current 8.2.1 code, and the CSC is running
the most current 6.3.1172.0 code from Cisco's site.   I do have all this up
and running at this time, and it works.   I also have a Cisco Content
Engine-590 that I have had online here for a while (with only a T1, saving
re-grabbing large image content on sites is a plus).  I also have the most
current ACNS software 5.5.13 loaded on the 590 as well, and it's configured
to work with the ASA using WCCPv2.

 

 OK, so now the issue.  It is all working, but apparently WCCP and the ASA
requests are handled before the CSC module, so any and all web requests
being processed by the CSC-SSM-10 module all look as though they are coming
from a single IP address (the IP of the CE590).  In some ways, I guess one
could say that was great as you will sure never have to worry about running
past the 50 user limit of the default CSC license, as it only sees stuff
from a single IP.  Of course like all things there is a catch, and for me
this is the issue I have. I want to use the Content Filtering function of
the CSC-SSM, and limit people based on either the internal IP address, or I
see I can also use the NT Active Directory info.  In fact I even tried to
use the AD plugin, but as it sees the IP of the CE590, again it won't find
any logged in users.  So due to this, I can't enforce content restrictions
on certain users, as everything appears as a single User/IP.

 

 So the million dollar question is, has anyone setup and used the ASA w/CSC
module along with a Content Engine (web cache) in transparent mode via WCCP,
and been able to make the CSC module see the individual IP's/Users inside??
I tried tweaking a couple items in the CE590 but that only resulted in
things breaking, so put it all back.   If anyone has any ideas on how to
accomplish this, or any material on doing this, it would be most
appreciated..

 

 

 

---

Howard Leadmon

More information about the cisco-nsp mailing list