Re: [squid-users] WCCP, Squid, and that darn PIX

I don't use WCCP, so I can't help you, but I do run Squid behind a PIX
firewall and I have no problems. Just have to open the appropriate ports.
Of course, I also have squid on the same side of the pix as my internal
network.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Joe Mailander" <jmailand@lane.k12.or.us>
To: <squid-users@squid-cache.org>
Sent: Wednesday, June 13, 2001 10:58 AM
Subject: [squid-users] WCCP, Squid, and that darn PIX

> I've got WCCP v. 1 working between my Cisco router (12.1(6)) and squid
(2.4
> stable 1 on freebsd 4.3 with the GRE patch applied.), works fine when
> there's no firewall in the picture (squid, squidguard all do what they're
> supposed to do, the mechanics of the process seem to be OK). Squid runs
> along, everything is great.
>
> Now, I'd like to put the squid box behind my PIX firewall. The squid box
> doesn't have any parent/child etc. relationships with other caches, I'm
> using it just for some squidguard filtering.
>
> When I put squid behind the pix, the router sees the squid box and lets me
> know it has a cache. So far so good. Fire up a web client on the inside
> interface of my pix (the LAN in our building), go to page, hangs.
>
> Looking at the PIX syslog entries I see:
>
> Jun 12 14:32:28 <dmz> Jun 12 2001 14:33:36: %PIX-1-106022: Deny tcp
> connection spoof from <web_to> to <client_from> on interface dmz
>
> where:
> <dmz> - ip address on pix DMZ interface
> <web_to> - ip address site we're going to (nasa.gov or whatever)
> <client_from> - ip addr. of client
>
> Cisco says that error comes up when a session starts on one interface, but
> continues on another. So, for laughs I put the client machine off a spare
> ethernet on the router running WCCP (no pix between client and router, but
> pix remains between router and squid). No error as above, but the whole
> process doesn't work; no items start appearing in the squid store.log, and
> again the client hangs and eventually times out.
>
> While testing, I opened any IP and any ICMP from the router to the squid
> box, and anything originating on the DMZ should go out.
>
> I did some tcpdumps looking at the GRE packets:
>
> 1) when squid and firewall on same segment (works):
>
> 16:40:14.365663 [router ip] > [squid ip]: gre-proto-0x883E (gre encap)
> 4500 0040 0024 0000 fe2f 3b56 a329 fac5
> a329 3ffc 0000 883e 4500 0028 b300 4000
> 8006 58f2 a329 3bfe 9f79 703c 041c 0050
> 0009 bf61 cb42 cef3 5004 0000 62f6 0000
> 16:40:14.365786 [router ip] > [squid ip]: gre-proto-0x883E (gre encap)
> 4500 0040 0025 0000 fe2f 3b55 a329 fac5
> a329 3ffc 0000 883e 4500 0028 b400 4000
> 8006 57f2 a329 3bfe 9f79 703c 041d 0050
> 0009 bf64 cb42 cef3 5004 0000 62f2 0000
> etc.
>
> 2) squid inside firewall (doesn't work):
>
> 16:56:41.987373 [router-ip] > [squid-ip]: gre-proto-0x883E (gre encap)
> 4500 0048 0000 0000 fe2f 3d08 a329 fac5
> a329 3e66 0000 883e 4500 0030 2085 4000
> fe06 6d0f a329 3c54 9f79 703c c000 0050
> 7246 91fc 0000 0000 7002 8000 52a9 0000
> 0204 0564 0101 0101
> 16:56:42.661343 [router-ip] > [squid-ip]: gre-proto-0x883E (gre encap)
> 4500 0059 0001 0000 fe2f 3cf6 a329 fac5
> a329 3e66 0000 883e 4500 0041 2086 4000
> fe06 6cfd a329 3c54 9f79 703c c000 0050
> 7246 91fd 0000 0000 5004 0000 cd89 0000
> 7463 705f 636c 6f73 652c 2064 7572 696e
> 6720
>
> I don't see any GRE fragmented packet errors in either case.
>
> If anyone's had any success using WCCP across a pix to squid, I'd like to
> hear what worked for you. Or, if it's just a bad idea to put squid behind
> a firewall, I should probably know that too.
>
>
> Thanks! I found lots of great setup info on this list when getting Squid
> and WCCP set up initially, you people rock.
>
>
> - Joe Mailander
Received on Wed Jun 13 2001 - 09:03:10 MDT