[squid-users] WCCP, Cisco ASA and assymetric path

From: Abdessamad BARAKAT <abdsamad13_at_gmail.com>
Date: Mon, 9 Jul 2012 10:52:14 +0200

Hi,

I try to setup squid on wccp redirection with a Cisco ASA firewall:

- squid :

Squid Cache: Version 3.1.20

configure options: --enable-ltdl-convenience

- CIsco ASA 8.2.2

My problem is with a assymettric path, the redirect was made by the
ASA and the squid receive the SYN packet on the GRE interface but
reply (SYN,ACK) on the ethernet interface.

So I see on some post , I need to "masquerade" the traffic to force
the return path on the GRE, I have tried this but without effect , I
can see the rules are matched:

Chain PREROUTING (policy ACCEPT 2656 packets, 317K bytes)

 pkts bytes target prot opt in out source
destination

 2802 135K REDIRECT tcp -- wccp0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3139

Chain POSTROUTING (policy ACCEPT 8582 packets, 562K bytes)

 pkts bytes target prot opt in out source
destination

28516 1866K MASQUERADE all -- * * 0.0.0.0/0
0.0.0.0/0

I found this post
(http://www.mail-archive.com/squid-users@squid-cache.org/msg64899.html),
where "tom" says with a Cisco ASA, you need to have the proxy server
also on the clients LAN... I tried this and I can see it's works with
this rule but for me it's not a usuable topology

Anyone have a idea for make the redirection working where the clients
and the proxy aren't on the same LAN

Thanks for any tips.
Received on Mon Jul 09 2012 - 08:52:22 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 09 2012 - 12:00:01 MDT