Troubleshooting guide
1-2
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices
Creating and Managing IP ACLs for WAAS Devices
• Interception ACL—Applied globally to the WAAS device. This type of ACL defines what traffic is
to be intercepted. Traffic that is permitted by the ACL is intercepted and traffic that is denied by the
ACL is passed through the WAE. Use the interception access-list global configuration command to
apply an interception ACL. For more information on using interception ACLs, see the “Configuring
Interception Access Control Lists” section on page 1-28.
• WCCP ACL—Applied on inbound WCCP redirected traffic to control access between an external
server and external clients. The WAE is acting like a firewall. Use the wccp access-list global
configuration command to apply a WCCP ACL.
• SNMP ACL—Applied on the SNMP agent to control access to the SNMP agent by an external
SNMP server that is polling for SNMP MIBs or SNMP statistics. Use the snmp-server access-list
global configuration command to apply an SNMP ACL.
• Transaction-logs flow ACL—Applied on the transaction logging facility to restrict the transactions
to be logged. Use the transaction-logs flow access-list global configuration command to apply a
transaction log ACL.
The following examples illustrate how interface ACLs can be used in environments that have WAAS
devices:
• A WAAS device resides on the customer premises and is managed by a service provider, and the
service provider wants to secure the device for its management only.
• A WAAS device is deployed anywhere within the enterprise. As with routers and switches, the
administrator wants to limit access to Telnet, SSH, and the WAAS Central Manager GUI to the IT
source subnets.
To use ACLs, you must first configure ACLs and then apply them to specific services or interfaces on
the WAAS device. The following are some examples of how interface ACLs can be used in various
enterprise deployments:
• An application layer proxy firewall with a hardened outside interface has no ports exposed.
(“Hardened” means that the interface carefully restricts which ports are available for access
primarily for security reasons. Because the interface is outside, many types of attacks are possible.)
The WAAS device’s outside address is globally accessible from the Internet, while its inside address
is private. The inside interface has an ACL to limit Telnet, SSH, and GUI access.
• A WAE that is using WCCP is positioned on a subnet off the Internet router. Both the WAE and the
router must have IP ACLs. IP access lists on routers have the highest priority followed by IP ACLs
that are defined on the WAEs.
Note We strongly recommend that you use the WAAS Central Manager GUI instead of the WAAS CLI to
centrally configure and apply ACLs to your WAAS devices. For more information, see the “Creating and
Managing IP ACLs for WAAS Devices” section on page 1-2.
Creating and Managing IP ACLs for WAAS Devices
This section provides guidelines and an example of how to use the WAAS Central Manager GUI to create
and manage IP ACLs for your WAAS devices.
When you create an IP ACL, you should note the following important points:
• IP ACL names must be unique within the device.
• IP ACL names must be limited to 30 characters and contain no white space or special characters.