mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-25 12:20:18 +00:00
61 lines
2 KiB
Markdown
61 lines
2 KiB
Markdown
|
# Configuring WCCP or Policy-Based Routing to Send Traffic to WSA
|
|||
|
|
|||
|
## Configuring WCCP on a Cisco Switch
|
|||
|
Let’s take a look on how to configure WCCP on a Cisco switch to redirect traffic to the Cisco Secure Web Appliance.
|
|||
|
|
|||
|
1. Configure an access control list (ACL) to match the web traffic.
|
|||
|
|
|||
|
```
|
|||
|
ip access-list extended WEB-TRAFFIC
|
|||
|
permit tcp 10.1.1.0 0.0.0.255 any eq www
|
|||
|
permit tcp 10.1.2.0 0.0.0.255 any eq www
|
|||
|
permit tcp 10.1.1.0 0.0.0.255 any eq 443
|
|||
|
permit tcp 10.1.2.0 0.0.0.255 any eq 443
|
|||
|
```
|
|||
|
|
|||
|
2. Configure another ACL to define where to send the traffic (that is, the Cisco Secure Web Appliance’s IP address).
|
|||
|
|
|||
|
```
|
|||
|
ip access-list standard WSA
|
|||
|
permit 10.1.3.3
|
|||
|
```
|
|||
|
|
|||
|
3. Create the WCCP lists.
|
|||
|
```
|
|||
|
ip wccp web-cache redirect-list HTTP-TRAFFIC group-list WSA
|
|||
|
ip wccp 10 redirect-list FTP-TRAFFIC group-list WSA
|
|||
|
ip wccp 20 redirect-list HTTPS-TRAFFIC group-list WSA
|
|||
|
```
|
|||
|
|
|||
|
4. Configure the WCCP redirection of traffic on the source interface.
|
|||
|
```
|
|||
|
interface vlan88
|
|||
|
ip wccp web-cache redirect in
|
|||
|
ip wccp 10 redirect in
|
|||
|
ip wccp 20 redirect in
|
|||
|
```
|
|||
|
|
|||
|
|
|||
|
|
|||
|
## Traffic Redirection with Policy-Based Routing
|
|||
|
You can also configure PBR on a Cisco router to redirect web traffic to the Cisco Secure Web Appliance.
|
|||
|
|
|||
|
Configuring PBR can affect the router’s performance if enabled in software (without hardware acceleration). You should review the respective router documentation to determine any impact.
|
|||
|
|
|||
|
- First, a PBR policy is configured in a Cisco router that matches traffic from two source subnets (10.1.1.0/24 and 10.1.1.2.0/24).
|
|||
|
- The web traffic is received on interface VLAN 88.
|
|||
|
- The traffic is sent to the Cisco Secure Web Appliance configured with IP address 10.1.2.3.
|
|||
|
|
|||
|
```
|
|||
|
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80
|
|||
|
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 80
|
|||
|
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 443
|
|||
|
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 443
|
|||
|
!
|
|||
|
route-map WebRedirect permit 10
|
|||
|
match ip address 101
|
|||
|
set ip next-hop 10.1.3.3
|
|||
|
interface vlan88
|
|||
|
ip policy route-map WebRedirect
|
|||
|
```
|