Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
1
Replies

Content Engine 510A Spoofing Through PIX - NOT WORKING!

dhunter-69
Level 1
Level 1

‎06-02-2005 09:08 AM

Hello all, I have a question regarding Content Engine Spoofing addresses though a PIX. I hope someone can help me with...

We have a large network constructed in a star topology. The core router at the center of the star has egress to the Internet via a PIX 525 (core router is on Inside of PIX).

We have a peppering of content engines both connected to our core router and at some remote sites to cache web sites offering educational curriculum we've purchased access to.

The egress interface from the core has "ip wccp web-cache redirect out" AND "ip wccp redirect exclude in" Interfaces connected to remote sites with their own content engines have "ip wccp redirect exclude in" so the core content engine ignores them.

At our remote site we have a similar setup, but we need to do spoofing so we can track user traffic and bandwidth based on IP. So, we've tried the ip spoofing instructions for hosts and content engine on different subnets.

Our remote site config is...

int fa1/0 (LAN Interface)

ip wccp 95 redirect out

int fa1/15 (CE 510A Interface)

ip wccp redirect exclude in

int s0/0 (WAN Interface)

ip wccp web-cache redirect out

The content engine is configured with both service 95 and the line to hash the ip address and source port. (All from the "ACNS 5.3-For Locally Managed Deployments.pdf")

Traffic flows from the remote site to the core router and to the attached LAN there where we have internal web servers with no problems. Traffic also flows to the Packetshaper immediately before the PIX - no problem. However, when going to the Internet, it may take as long as 5 minutes or more to load a web page. I can see the PIX is recieving the spoofed IP and even building a NAT translation for it to go to the Internet using a public IP. But traffic just stalls.... (We DID remove the Packetshaper, same results...)

So, since I have intra-net access with no problem and my traffic seems to get mired in the PIX, is there something I need to configure on the PIX to allow spoofed IPs on the Inside interface to egress to the Internet on the Outside interface?

Core Router 7206VXR:

Version 12.1(14)E6, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Remote Router 2650:

Version 12.4(1), RELEASE SOFTWARE (fc3)

PIX 525:

Cisco PIX Firewall Version 6.3(1)

Content Engine 510A:

Application and Content Networking System Software Release 5.3.1 (build b5 Mar 17 2005)

Thanks!

David B. Hunter

South Bend Community School Corporation

Networking Specialist

Labels:
0 Helpful
1 Reply 1

dhunter-69
Level 1
Level 1

‎06-02-2005 01:13 PM

SOLVED --

The mistake was my own...in writing this post and re-testing, I realized I had made a foolish mistake. I applied an access-list (which I forgot to include) to the "ip wccp web-cache redirect-list bypass_content_engine" in the global config of the router.

When I installed service 95 for spoofing, I automatically added the same access list to it as well.

This was not a good thing since the access list denied packets with a destination of our internal IP addresses from going through the content engine. This worked fine on the way *out* of the router. But as the now-spoofed packets returned, their destination was an inside IP address and they were pretty much discarded. Foolish Mistake!

Removing the ACL from the "ip wccp 95" statement in the global config fixed the issue and I am spoofing fine.

Sorry to waste time...

David Hunter

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card