Re: [squid-users] squid and wccp doesn't work

From: Parvinder Bhasin <parvinder.bhasin_at_gmail.com>
Date: Thu, 18 Jun 2009 14:06:54 -0700

I have this setup working differently but did you get HTTPS working?
Just wondering. Trying going to an https site.

Let me know your findings.

-Parvinder Bhasin
On Jun 18, 2009, at 4:28 AM, Tom Penndorf wrote:

> Daniel, Akos schrieb:
>> Hi,
>>
>> ASA does not support any IPoverIP such as GRE. Which SW Version you
>> have
>> on ASA? Could you send me the link where it is written to create a
>> tunnel between the ASA and the Squid?
>> What is your ASA config?
>> "sh run interface"
>> "sh run wccp" or "sh run | grep wccp"
>>
>> Once I tried WCCP with PIX SW Version 7.2.2 and collected my info
>> here:
>> http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht
>> ml
>>
>> Regards,
>> Akos
>>
>>
>>
>
> Hi,
> the wccp standard requires GRE. Alos, you can see here:
> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445
>
> After some testing i've found some logging-Entries at the asa,
> saying that it cannot found any nat-entries for the answer-packets.
> So, i created an nat-exempt rule for this. Thos stops the messages,
> but it doesn't work.
> But now, i'v found the solution after some researching on the web in
> this article:
> http://www.breezy.ca/?q=node/316
> specially interesting was this:
>
> "For Squid to work with WCCP2 and the Cisco firewall, the Squid
> server must be on a common subnet with the web client since the
> proxied web client-server sessions cannot traverse the ASA. This is
> curious and not particularly well documented anywhere. This is also
> different than the Cisco IOS routers (which also support WCCP2)
> where the caching server can be on a different subnet. One reason
> this is true is that the ASA only supports proxying for packets that
> arrive in (ie: inbound) on an interface."
>
>
> Now i've created an internal interface for the server for
> communicating with the clients and the firewall. It's not the
> optimal solution, but it works now. Perhaps, it is interesting for
> someone else.
>
> Regards,
>
> Tom
Received on Thu Jun 18 2009 - 21:07:12 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 19 2009 - 12:00:03 MDT