Re: [squid-users] squid and wccp doesn't work

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 19 Jun 2009 00:05:08 +1200

Tom Penndorf wrote:
> Daniel, Akos schrieb:
>> Hi,
>>
>> ASA does not support any IPoverIP such as GRE. Which SW Version you have
>> on ASA? Could you send me the link where it is written to create a
>> tunnel between the ASA and the Squid?
>> What is your ASA config?
>> "sh run interface"
>> "sh run wccp" or "sh run | grep wccp"
>>
>> Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here:
>> http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht
>> ml
>>
>> Regards,
>> Akos
>>
>>
>>
>
> Hi,
> the wccp standard requires GRE. Alos, you can see here:
> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445
>
>
> After some testing i've found some logging-Entries at the asa, saying
> that it cannot found any nat-entries for the answer-packets. So, i
> created an nat-exempt rule for this. Thos stops the messages, but it
> doesn't work.
> But now, i'v found the solution after some researching on the web in
> this article:
> http://www.breezy.ca/?q=node/316
> specially interesting was this:
>
> "For Squid to work with WCCP2 and the Cisco firewall, the Squid server
> must be on a common subnet with the web client since the proxied web
> client-server sessions cannot traverse the ASA. This is curious and not
> particularly well documented anywhere. This is also different than the
> Cisco IOS routers (which also support WCCP2) where the caching server
> can be on a different subnet. One reason this is true is that the ASA
> only supports proxying for packets that arrive in (ie: inbound) on an
> interface."
>
>
> Now i've created an internal interface for the server for communicating
> with the clients and the firewall. It's not the optimal solution, but it
> works now. Perhaps, it is interesting for someone else.
>
> Regards,
>
> Tom

Excellent news.

If you can provide config details that are usable by others outside your
network we could do with an example in the wiki for these devices at
http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.8
Received on Thu Jun 18 2009 - 12:05:14 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 18 2009 - 12:00:04 MDT