Cisco Cisco Web Security Appliance S170 Guía Del Usuario

Version 8.3 of the ASA can only use WCCP to redirect web traffic when the traffic 
enters the ASA on the same interface where WCCP is enabled. However, the 
AnyConnect client traffic does not enter the ASA on the same interface where 
WCCP is enabled (which is the same interface connected to the WSA). To work 
around this, you must connect a router off the WCCP enabled interface to direct 
all traffic to the router and then return it to the ASA on the WCCP enabled 
interface. This allows the ASA to use WCCP to redirect web traffic to the WSA 
for scanning. In 

, Router A returns all traffic back to the ASA on the same 

interface as the WSA, the inside interface.

When using this architecture with the Web Security appliance proxy bypass list 
feature, only local users are able to successfully reach websites listed in the proxy 
bypass list. When a remote user tries to access a website listed in the proxy bypass 
list, the connection fails.

To achieve secure mobility for users connecting to the network using VPN, you 
must configure the following products:

Cisco IronPort Web Security appliance. For more information, see 

.

Cisco adaptive security appliance. For more information, see 

.

Cisco AnyConnect secure mobility client. For more information, see 

To integrate a Web Security appliance and an adaptive security appliance, you 
need the following information:

IP address for each adaptive security appliance

Port number of each adaptive security appliance

IP address for each Web Security appliance

Port number of each Web Security appliance