Re: [squid-users] Transparent caching proxy, ASA-Squid3

From: Eliezer Croitoru <eliezer_at_ec.hadorhabaac.com>
Date: Fri, 22 Apr 2011 16:31:55 +0300

What is your network setup?

What is the position of each device related to the other on the network?

both of them on the same network?

Eliezer

On 22/04/2011 11:43, bmm-mailinglist wrote:

> Hi all,
>
> I am a new Squid user. I like Squid's ease of setup and -use. Unfortunately, I've hit a snag.
> For the past week or so, I have been trying to get a transparent caching proxy going between our Cisco ASA 5510 firewall (with 8.3(2) software) and a fresh Squid 3 install on an Ubuntu 10.04 LTS (default squid3 package from Ubuntu repo).
>
> So far I have been unsuccesful.
> The caching proxy bit works just fine. If I manually point my browser to the Squid machine to use as a proxy, it works just as it should.
> I can't get the redirect working, though. Packets redirected by the ASA just seem to get dropped somewhere along the line.
> I have followed the directions stated in http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#WCCP_-_Web_Cache_Coordination_Protocol. This setup did not work.
> After trying anything I could think of myself (and not being an expert at this, that wasn't a whole lot), I've taken to the mailing list archives.
> There, I found this thread: http://www.squid-cache.org/mail-archive/squid-users/201103/0284.html, which is similar to my situation.
> I also followed the directions mentioned there, but unfortunately that did not solve my problem either.
>
> In any case, the situation right now is as follows:
>
> The ASA is set up for WCCP, seemingly correctly (although ASA documentation on WCCP is less than stellar).
> It has recognized the Squid cache, is receiving Squid's Here I Am packets and is returning I See Yous.
> According to the counter, it is also forwarding packets to Squid when I activate the rule.
>
> I've set a logging rule on the prerouting table in iptables. It shows packets are coming in. So far so good.
> I've also set a logging rule on the postrouting, output and forward tables, but nothing seems to be leaving the Squid machine, other than the hello packets to the ASA every 10 seconds.
> Setting log_access to either allow or deny also does not create any entries in the access.log file. It seems, therefore, that the packets never reach that stage.
>
> I'm kind of out of ideas at this point. Can someone point me in the right direction to start shooting at trouble again?
>
> Some relevant config:
>
> ASA
>
> wccp web-cache redirect-list proxy group-list wccp-acl password *****
> wccp interface inside web-cache redirect in
>
> access-list proxy extended permit tcp 10.0.0.0 255.0.0.0 any eq www inactive
> access-list wccp-acl extended permit ip host 10.1.7.5 any
>
>
> Squid:
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> icp_access deny all
> htcp_access deny all
> http_port 3128 transparent
> hierarchy_stoplist cgi-bin ?
> cache_dir ufs /var/squid/cache 184320 16 256
> access_log /var/log/squid3/access.log squid
>
> wccp2_router 10.1.0.254
> wccp2_forwarding_method 1
> wccp2_return_method 1
> wccp2_assignment_method 1
> wccp2_service standard 0 password=squid
> wccp2_address 0.0.0.0
>
>
> iptables:
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level warning prefix `pre'
> REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 3128
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level warning prefix `post'
> MASQUERADE all -- anywhere anywhere
>
>
> So again, any pointers would be most welcome. Should you need more config info, don't hesitate to ask.
> Thanks in advance.
>
> Regards,
>
> Bart
>
Received on Fri Apr 22 2011 - 13:32:07 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 22 2011 - 12:00:03 MDT