Cisco Cisco Web Security Appliance S380 Guia Do Utilizador

 illustrates the architecture described in this section.

The deployment scenario in 

 depicts a layer 2 (L2) topology which 

includes an ASA acting as a remote access and Internet gateway. In addition, this 
topology includes a WCCP router for L2 redirection of web traffic. All command 
examples included below refer to the example in 

. The traffic flow for this 

deployment scenario consists of the following:

The AnyConnect client establishes an SSL VPN session to the ASA headend 
and forwards all its traffic over the session. In some cases, security 
administrators might define VPN policies that exclude specific traffic from 
the VPN session. For example, administrators might enable local printing for 
the connected end-user. 

The ASA is configured with a tunnel default gateway (

route inside 0.0.0.0 

0.0.0.0 192.168.1.2 255.255.255.0 Tunneled

) which forwards all VPN 

traffic from the tunnel to the WCCP router (

192.168.1.2/24

). 

The WCCP router forwards only web traffic to the WSA. It forwards all 
non-web traffic destined for the Internet to its default route (

ip route 

0.0.0.0 0.0.0.0 192.168.1.1

), which in this case is the ASA, or to a 

predefined static route if destined for the enterprise network. On the WCCP 
router, the command syntax 

ip wccp [port] redirect in

 (as opposed to 

ip 

wccp [port] redirect out

) must be applied to the interface configured for 

L2 redirection. This command enables web traffic inbound to the interface to 
successfully be redirected to the WSA.