mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-22 02:43:02 +00:00
Create wccp_and_pbr_to_wsa.md
This commit is contained in:
parent
ad537984dd
commit
c4d55bf9e3
1 changed files with 60 additions and 0 deletions
60
SCOR/wccp_and_pbr_to_wsa.md
Normal file
60
SCOR/wccp_and_pbr_to_wsa.md
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
# Configuring WCCP or Policy-Based Routing to Send Traffic to WSA
|
||||||
|
|
||||||
|
## Configuring WCCP on a Cisco Switch
|
||||||
|
Let’s take a look on how to configure WCCP on a Cisco switch to redirect traffic to the Cisco Secure Web Appliance.
|
||||||
|
|
||||||
|
1. Configure an access control list (ACL) to match the web traffic.
|
||||||
|
|
||||||
|
```
|
||||||
|
ip access-list extended WEB-TRAFFIC
|
||||||
|
permit tcp 10.1.1.0 0.0.0.255 any eq www
|
||||||
|
permit tcp 10.1.2.0 0.0.0.255 any eq www
|
||||||
|
permit tcp 10.1.1.0 0.0.0.255 any eq 443
|
||||||
|
permit tcp 10.1.2.0 0.0.0.255 any eq 443
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Configure another ACL to define where to send the traffic (that is, the Cisco Secure Web Appliance’s IP address).
|
||||||
|
|
||||||
|
```
|
||||||
|
ip access-list standard WSA
|
||||||
|
permit 10.1.3.3
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Create the WCCP lists.
|
||||||
|
```
|
||||||
|
ip wccp web-cache redirect-list HTTP-TRAFFIC group-list WSA
|
||||||
|
ip wccp 10 redirect-list FTP-TRAFFIC group-list WSA
|
||||||
|
ip wccp 20 redirect-list HTTPS-TRAFFIC group-list WSA
|
||||||
|
```
|
||||||
|
|
||||||
|
4. Configure the WCCP redirection of traffic on the source interface.
|
||||||
|
```
|
||||||
|
interface vlan88
|
||||||
|
ip wccp web-cache redirect in
|
||||||
|
ip wccp 10 redirect in
|
||||||
|
ip wccp 20 redirect in
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Traffic Redirection with Policy-Based Routing
|
||||||
|
You can also configure PBR on a Cisco router to redirect web traffic to the Cisco Secure Web Appliance.
|
||||||
|
|
||||||
|
Configuring PBR can affect the router’s performance if enabled in software (without hardware acceleration). You should review the respective router documentation to determine any impact.
|
||||||
|
|
||||||
|
- First, a PBR policy is configured in a Cisco router that matches traffic from two source subnets (10.1.1.0/24 and 10.1.1.2.0/24).
|
||||||
|
- The web traffic is received on interface VLAN 88.
|
||||||
|
- The traffic is sent to the Cisco Secure Web Appliance configured with IP address 10.1.2.3.
|
||||||
|
|
||||||
|
```
|
||||||
|
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80
|
||||||
|
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 80
|
||||||
|
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 443
|
||||||
|
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 443
|
||||||
|
!
|
||||||
|
route-map WebRedirect permit 10
|
||||||
|
match ip address 101
|
||||||
|
set ip next-hop 10.1.3.3
|
||||||
|
interface vlan88
|
||||||
|
ip policy route-map WebRedirect
|
||||||
|
```
|
Loading…
Reference in a new issue