Re: [squid-users] WCCP, Cisco ASA and assymetric path

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 09 Jul 2012 23:37:46 +1200

On 9/07/2012 8:52 p.m., Abdessamad BARAKAT wrote:
> Hi,
>
>
> I try to setup squid on wccp redirection with a Cisco ASA firewall:
>
> - squid :
>
> Squid Cache: Version 3.1.20
>
> configure options: --enable-ltdl-convenience
>
> - CIsco ASA 8.2.2
>
>
> My problem is with a assymettric path, the redirect was made by the
> ASA and the squid receive the SYN packet on the GRE interface but
> reply (SYN,ACK) on the ethernet interface.

Why is that a problem? The packets are going back to the router, which
should be sending them to the clients regardless of the source.

>
>
> So I see on some post , I need to "masquerade" the traffic to force
> the return path on the GRE, I have tried this but without effect , I
> can see the rules are matched:

Only if you are NATing them to use a different source address. It does
not determine the machine outerface.

> Chain PREROUTING (policy ACCEPT 2656 packets, 317K bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 2802 135K REDIRECT tcp -- wccp0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 redir ports 3139
>
>
> Chain POSTROUTING (policy ACCEPT 8582 packets, 562K bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 28516 1866K MASQUERADE all -- * * 0.0.0.0/0
> 0.0.0.0/0

Makes all packets from the proxy appear to have come from the WAN IP on
that interface.

>
>
> I found this post
> (http://www.mail-archive.com/squid-users@squid-cache.org/msg64899.html),
> where "tom" says with a Cisco ASA, you need to have the proxy server
> also on the clients LAN... I tried this and I can see it's works with
> this rule but for me it's not a usuable topology

It is not required. Just an easier way to plug the network together.

>
>
> Anyone have a idea for make the redirection working where the clients
> and the proxy aren't on the same LAN

All you have to do is make sure the router handling the packets back
*to* the clients knows where to send them. Check your router rules are
accepting packets in through the eth* where Squid is plugged which are
destined to the clients OR to the Internet, Squid will send both back to
the router.

(I can't help you on the particulars sorry).

Amos
Received on Mon Jul 09 2012 - 11:37:54 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 09 2012 - 12:00:01 MDT