Re: [squid-users] squid and wccp doesn't work

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 19 Jun 2009 00:37:11 +1200

Tom Penndorf wrote:
> Amos Jeffries schrieb:
>> Tom Penndorf wrote:
>>> Daniel, Akos schrieb:
>>>> Hi,
>>>>
>>>> ASA does not support any IPoverIP such as GRE. Which SW Version you
>>>> have
>>>> on ASA? Could you send me the link where it is written to create a
>>>> tunnel between the ASA and the Squid?
>>>> What is your ASA config?
>>>> "sh run interface"
>>>> "sh run wccp" or "sh run | grep wccp"
>>>>
>>>> Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here:
>>>> http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht
>>>>
>>>> ml
>>>>
>>>> Regards,
>>>> Akos
>>>>
>>>>
>>>>
>>>
>>> Hi,
>>> the wccp standard requires GRE. Alos, you can see here:
>>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445
>>>
>>>
>>> After some testing i've found some logging-Entries at the asa, saying
>>> that it cannot found any nat-entries for the answer-packets. So, i
>>> created an nat-exempt rule for this. Thos stops the messages, but it
>>> doesn't work.
>>> But now, i'v found the solution after some researching on the web in
>>> this article:
>>> http://www.breezy.ca/?q=node/316
>>> specially interesting was this:
>>>
>>> "For Squid to work with WCCP2 and the Cisco firewall, the Squid
>>> server must be on a common subnet with the web client since the
>>> proxied web client-server sessions cannot traverse the ASA. This is
>>> curious and not particularly well documented anywhere. This is also
>>> different than the Cisco IOS routers (which also support WCCP2) where
>>> the caching server can be on a different subnet. One reason this is
>>> true is that the ASA only supports proxying for packets that arrive
>>> in (ie: inbound) on an interface."
>>>
>>>
>>> Now i've created an internal interface for the server for
>>> communicating with the clients and the firewall. It's not the optimal
>>> solution, but it works now. Perhaps, it is interesting for someone else.
>>>
>>> Regards,
>>>
>>> Tom
>>
>> Excellent news.
>>
>> If you can provide config details that are usable by others outside
>> your network we could do with an example in the wiki for these devices at
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2
>>
>>
>> Amos
> Good idea. Can you give me edit-permissions? Name is Tom Penndorf.
>
> Tom
>

I can. Done for login "Tom Penndorf".

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.8
Received on Thu Jun 18 2009 - 12:37:19 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 18 2009 - 12:00:04 MDT