Re: [squid-users] squid and wccp doesn't work from Tom Penndorf on 2009-06-18 (squid-users)

From: Tom Penndorf <tpenndorf_at_seibert-media.net>
Date: Thu, 18 Jun 2009 14:19:32 +0200

Amos Jeffries schrieb:
> Tom Penndorf wrote:
>> Daniel, Akos schrieb:
>>> Hi,
>>>
>>> ASA does not support any IPoverIP such as GRE. Which SW Version you
>>> have
>>> on ASA? Could you send me the link where it is written to create a
>>> tunnel between the ASA and the Squid?
>>> What is your ASA config?
>>> "sh run interface"
>>> "sh run wccp" or "sh run | grep wccp"
>>>
>>> Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here:
>>> http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht
>>>
>>> ml
>>>
>>> Regards,
>>> Akos
>>>
>>>
>>>
>>
>> Hi,
>> the wccp standard requires GRE. Alos, you can see here:
>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445
>>
>>
>> After some testing i've found some logging-Entries at the asa, saying
>> that it cannot found any nat-entries for the answer-packets. So, i
>> created an nat-exempt rule for this. Thos stops the messages, but it
>> doesn't work.
>> But now, i'v found the solution after some researching on the web in
>> this article:
>> http://www.breezy.ca/?q=node/316
>> specially interesting was this:
>>
>> "For Squid to work with WCCP2 and the Cisco firewall, the Squid
>> server must be on a common subnet with the web client since the
>> proxied web client-server sessions cannot traverse the ASA. This is
>> curious and not particularly well documented anywhere. This is also
>> different than the Cisco IOS routers (which also support WCCP2) where
>> the caching server can be on a different subnet. One reason this is
>> true is that the ASA only supports proxying for packets that arrive
>> in (ie: inbound) on an interface."
>>
>>
>> Now i've created an internal interface for the server for
>> communicating with the clients and the firewall. It's not the optimal
>> solution, but it works now. Perhaps, it is interesting for someone else.
>>
>> Regards,
>>
>> Tom
>
> Excellent news.
>
> If you can provide config details that are usable by others outside
> your network we could do with an example in the wiki for these devices at
> http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2
>
>
> Amos
Good idea. Can you give me edit-permissions? Name is Tom Penndorf.

Tom
Received on Thu Jun 18 2009 - 12:19:36 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 18 2009 - 12:00:04 MDT