In fact on the wiki
(http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2),
there is this :
Very important passage from the Cisco-Manual
"The only topology that the security appliance supports is when
client and cache engine are behind the same interface of the security
appliance and the cache engine can directly communicate with the
client without going through the security appliance."
And I can see the reply wad dropped by the ASA because I think when
the ASA make the wccp redirect, he doesn't record a new connection so
when He see the reply from the proxy to the client, the SYN was
dropped:
Jul 9 14:11:26 192.168.35.250 %ASA-6-106015: Deny TCP (no connection)
from <Website IP> to <proxy IP> flags SYN ACK on interface <PROXY
LAN>
So anyone know a workaround for this issue ? for have the client and
the proxy aren't behind the same interface of the firewall ASA
Thanks a lot
2012/7/9 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 9/07/2012 8:52 p.m., Abdessamad BARAKAT wrote:
>>
>> Hi,
>>
>>
>> I try to setup squid on wccp redirection with a Cisco ASA firewall:
>>
>> - squid :
>>
>> Squid Cache: Version 3.1.20
>>
>> configure options: --enable-ltdl-convenience
>>
>> - CIsco ASA 8.2.2
>>
>>
>> My problem is with a assymettric path, the redirect was made by the
>> ASA and the squid receive the SYN packet on the GRE interface but
>> reply (SYN,ACK) on the ethernet interface.
>
>
> Why is that a problem? The packets are going back to the router, which
> should be sending them to the clients regardless of the source.
>
>
>>
>>
>> So I see on some post , I need to "masquerade" the traffic to force
>> the return path on the GRE, I have tried this but without effect , I
>> can see the rules are matched:
>
>
> Only if you are NATing them to use a different source address. It does not
> determine the machine outerface.
>
>
>> Chain PREROUTING (policy ACCEPT 2656 packets, 317K bytes)
>>
>> pkts bytes target prot opt in out source
>> destination
>>
>> 2802 135K REDIRECT tcp -- wccp0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80 redir ports 3139
>>
>>
>> Chain POSTROUTING (policy ACCEPT 8582 packets, 562K bytes)
>>
>> pkts bytes target prot opt in out source
>> destination
>>
>> 28516 1866K MASQUERADE all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>
>
> Makes all packets from the proxy appear to have come from the WAN IP on that
> interface.
>
>
>>
>>
>> I found this post
>> (http://www.mail-archive.com/squid-users@squid-cache.org/msg64899.html),
>> where "tom" says with a Cisco ASA, you need to have the proxy server
>> also on the clients LAN... I tried this and I can see it's works with
>> this rule but for me it's not a usuable topology
>
>
> It is not required. Just an easier way to plug the network together.
>
>
>>
>>
>> Anyone have a idea for make the redirection working where the clients
>> and the proxy aren't on the same LAN
>
>
> All you have to do is make sure the router handling the packets back *to*
> the clients knows where to send them. Check your router rules are accepting
> packets in through the eth* where Squid is plugged which are destined to the
> clients OR to the Internet, Squid will send both back to the router.
>
> (I can't help you on the particulars sorry).
>
> Amos
Received on Mon Jul 09 2012 - 12:44:48 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 10 2012 - 12:00:02 MDT