Re: [squid-users] squid and wccp doesn't work from Parvinder Bhasin on 2009-06-18 (squid-users)

From: Parvinder Bhasin <parvinder.bhasin_at_gmail.com>
Date: Thu, 18 Jun 2009 15:00:30 -0700

Scratch that...https and transparent proxy ..no can't do.

On Jun 18, 2009, at 2:06 PM, Parvinder Bhasin wrote:

> I have this setup working differently but did you get HTTPS
> working? Just wondering. Trying going to an https site.
>
> Let me know your findings.
>
> -Parvinder Bhasin
> On Jun 18, 2009, at 4:28 AM, Tom Penndorf wrote:
>
>> Daniel, Akos schrieb:
>>> Hi,
>>>
>>> ASA does not support any IPoverIP such as GRE. Which SW Version
>>> you have
>>> on ASA? Could you send me the link where it is written to create a
>>> tunnel between the ASA and the Squid?
>>> What is your ASA config?
>>> "sh run interface"
>>> "sh run wccp" or "sh run | grep wccp"
>>>
>>> Once I tried WCCP with PIX SW Version 7.2.2 and collected my info
>>> here:
>>> http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht
>>> ml
>>>
>>> Regards,
>>> Akos
>>>
>>>
>>>
>>
>> Hi,
>> the wccp standard requires GRE. Alos, you can see here:
>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445
>>
>> After some testing i've found some logging-Entries at the asa,
>> saying that it cannot found any nat-entries for the answer-packets.
>> So, i created an nat-exempt rule for this. Thos stops the messages,
>> but it doesn't work.
>> But now, i'v found the solution after some researching on the web
>> in this article:
>> http://www.breezy.ca/?q=node/316
>> specially interesting was this:
>>
>> "For Squid to work with WCCP2 and the Cisco firewall, the Squid
>> server must be on a common subnet with the web client since the
>> proxied web client-server sessions cannot traverse the ASA. This is
>> curious and not particularly well documented anywhere. This is also
>> different than the Cisco IOS routers (which also support WCCP2)
>> where the caching server can be on a different subnet. One reason
>> this is true is that the ASA only supports proxying for packets
>> that arrive in (ie: inbound) on an interface."
>>
>>
>> Now i've created an internal interface for the server for
>> communicating with the clients and the firewall. It's not the
>> optimal solution, but it works now. Perhaps, it is interesting for
>> someone else.
>>
>> Regards,
>>
>> Tom
>
Received on Thu Jun 18 2009 - 22:00:43 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 19 2009 - 12:00:03 MDT