03-21-2014 06:34 PM - edited 03-11-2019 08:59 PM
Hello all... hoping somebody can help me here. Having a bear of a time getting WCCP redirection working for http clients using squid on CentOs as a proxy and a ASA as my firewall device. I've followed 10 or so articles to no avail. This one here seems concise enough and I followed it verbatim. Except for the iptables -t nat -A POSTROUTING -j MASQUERADE Line at the end...did not see that anywhere else and read it can cause issues with firewalls.
http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2#Cisco_ASA
I have connectivity throughout the network. Squid is working and works fine if I point my browsers to it, clients can get out.... But just can't get the transparent redirect\intercept to work w WCCP.
I've attached a screen shot of a wire shark capture at the etho of the squid box. When requesting a website from a windows client (novell.com for example) I get a tcp packet from the ASA to the Proxy as it should, with the WCCP\GRE packet with the web request inside. After that it's a tcp out of order packet followed by a slew of TCP retransmits from the requesting client to the web site – with every other packet having the WCCP\GRE header.
I could certainly post my pertinent configs but I think they are solid as per the above article and all else I've researched.
Here's the basic topology:
ASA- inside- (also my WCCP ID)- 192.168.10.5
Squid proxy (3128)- 192.168.1.19 w a gre interface (wccp0) redirecting to port 3129
Windows client- 192.168.1.2
Cisco Adaptive Security Appliance Software Version 8.4(2)
Squid V 3.4
CentOS 6.5
Any help is appreciated- would love to get this to work ! Dennis
03-27-2014 09:15 AM
Did some more captures...found that my redirects were not getting decapsulated on the squid box. It was my iptables line in CentOS
Needed to use the DNAT directive as such...NOT the Redirect, as you may see in other posts.
iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.19:3129
Blogged my set up too...for those interested:
http://techjuice.blogspot.com/2014/03/cisco-asa-with-wccp-redirect-to-squid.html
Dennis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide