On Mon, 14 Mar 2011 20:25:24 +0800, mrito_at_mail.altcladding.com.ph
wrote:
> hi List,
>
> I'm trying to setup a Cisco ASA 5510 & squid 3.0 WCCP and already
> followed
> some sources on the website procedures but client browsing still does
> not
> work. I can ping the public DNS of the website were trying to access
> via
> client PC but the problem is they cannot connect when using the
> browser.
ICMP protocol used by ping is not sent over the tunnnel hops. So ping
is meaningless when WCCP and similar diversions are involved.
>
> We've created a GRE tunnel on the Squid box (running Linux):
> # iptunnel add gre2 mode gre remote 172.16.9.11 local 172.16.9.14 dev
> eth0
> # ifconfig gre2 127.0.0.2 up
>
> (where 172.16.9.11 is the internal interface of our ASA and
> 172.16.9.14 is
> the IP of our squid proxy server)
>
So far so good (assuming the ASA likes those IPs too).
> Then we've set up iptables to redirect port 80 to our proxy on port
> 8080:
>
> # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
>
You need a back-path NAT to make it symmetric. The easy way is
MASQUERADE in the POSTROUTING chain.
Maybe rp_filter and forwarding as well.
http://wiki.squid-cache.org/Features/Wccp2#Squid_box_OS_configuration
> Our Squid 2.7.STABLE3 config file contains:
>
> http_port 172.16.9.14:8080 transparent
> wccp2_router 172.16.9.11
>
>
> We can tell that WCCP connects because in the ASA we have:
>
> ALTVPN# sh wccp
>
> Global WCCP information:
> Router information:
> Router Identifier: 172.16.18.1
Here we are, primary router identifier. By mutual agreement of WCCP
protocol just to confuse, this indicates the likely ID value for
wccp2_router.
Try:
wccp2_router 172.16.18.1
> Protocol Version: 2.0
>
> Service Identifier: web-cache
> Number of Cache Engines: 0
When Squid starts it sends a HERE_I_AM packet to the $wccp2_router.
That packet seems not to be getting through OR not being accepted by
the ASA.
Try the above alternative IP. If that fails it maybe worth trying every
other IP the router has.
> Number of routers: 0
> Total Packets Redirected: 5595
> Redirect access-list: -none-
> Total Connections Denied Redirect: 0
> Total Packets Unassigned: 41
> Group access-list: -none-
> Total Messages Denied to Group: 0
> Total Authentication failures: 0
> Total Bypassed Packets Received: 0
>
> However, clients are getting timeouts when trying to browse the
> internet.
> In the ASA logs, I'm seeing:
>
> Denied ICMP type=3, code=3 from PROXY on interface inside
> No matching connection for ICMP error message: icmp src inside:PROXY
> dst
> identity: (type 3, code 3) on inside interface.
Interesting. I was of the understanding that WCCP is supposed to
fail-open so clients have something equivalent to always-up service.
>
> Please see also below running config we have on our Cisco ASA 5510
> Router:
> dns-guard
> !
> interface Ethernet0/0
> nameif internet
> security-level 0
> ip address 122.3.237.69 255.255.255.240
> ospf cost 10
> !
> interface Ethernet0/1
> nameif LAN
> security-level 100
> ip address 172.16.9.11 255.255.255.0
> ospf cost 10
> !
> interface Ethernet0/2
> nameif DMZ
> security-level 50
> ip address 172.16.10.10 255.255.255.0
> ospf cost 10
> !
> interface Ethernet0/3
> description Connection to Proxy Server
> nameif LAN-TEST
> security-level 0
> ip address 172.16.18.1 255.255.255.0
> !
> interface Management0/0
> shutdown
> nameif management
> security-level 100
> no ip address
> ospf cost 10
> management-only
>
>
>
> ALTVPN# sh route
>
> Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B -
> BGP
> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
> E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
> i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
> inter
> area
> * - candidate default, U - per-user static route, o - ODR
> P - periodic downloaded static route
>
> Gateway of last resort is 122.3.237.65 to network 0.0.0.0
>
> C 172.16.9.0 255.255.255.0 is directly connected, LAN
> C 122.3.237.64 255.255.255.240 is directly connected, internet
> S* 0.0.0.0 0.0.0.0 [1/0] via 122.3.237.65, internet
>
<snip>
Amos
Received on Tue Mar 15 2011 - 01:36:26 MDT
This archive was generated by hypermail 2.2.0 : Tue Mar 15 2011 - 12:00:01 MDT