11-19-2008 08:26 AM - edited 03-11-2019 07:15 AM
Hi, I'm trying to get WCCP working between ASA and SQUID.
Everything seems to be well done, both ASA configs and SQUID configs but my clients are no able to get http internet access through ASA-WCCP-SQUID, instead of internet browsing my clients are getting an ICMP port unreachable message from SQUID.
Please let me to know if you find something unusual or if you would like to share some useful information about it.
The following lines are my configs a show commands output:
WCCP ASA CONFIG
!
wccp web-cache redirect-list proxy-traffic group-list proxy-servers
wccp interface inside web-cache redirect in
!
access-list proxy-traffic extended permit tcp object-group proxy-users any object-group proxy-services
!
access-list proxy-servers extended permit ip host 172.30.0.10 any
!
object-group network proxy-users
network-object host 172.30.0.110
network-object host 172.30.0.180
!
object-group service proxy-services tcp
port-object eq www
!
WCCP SHOW COMMANDS
fwsnseba# sh wccp
Global WCCP information:
Router information:
Router Identifier: 200.1.1.1
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 14335
Redirect access-list: proxy-traffic
Total Connections Denied Redirect: 0
Total Packets Unassigned: 87
Group access-list: proxy-servers
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
fwsnseba# sh wccp interfaces detail
WCCP interface configuration details:
GigabitEthernet0/1
Output services: 0
Input services: 1
Static: Web-cache
Dynamic: None
Mcast services: 0
Exclude In: FALSE
fwsnseba# sh wccp web-cache detail
WCCP Cache-Engine information:
Web Cache ID: 172.30.0.10
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets Redirected: 14335
Connect Time: 01:43:41
fwsnseba#
WCCP ACLs MATCH
fwsnseba# sh access-list proxy-traffic
access-list proxy-traffic; 2 elements
access-list proxy-traffic line 1 extended permit tcp object-group proxy-users any object-group proxy-services 0xd2d97eca
access-list proxy-traffic line 1 extended permit tcp host 172.30.0.110 any eq www (hitcnt=4020) 0x8bbf4c3b
access-list proxy-traffic line 1 extended permit tcp host 172.30.0.180 any eq www (hitcnt=9889) 0xa0dab691
!
fwsnseba# sh access-list proxy-servers
access-list proxy-servers; 1 elements
access-list proxy-servers line 1 extended permit ip host 172.30.0.10 any (hitcnt=20277) 0x0289453e
fwsnseba#
ASA IP ADDRESSING
fwsnseba# sh ip address
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 200.1.1.1 255.255.255.248 CONFIG
GigabitEthernet0/1 inside 172.30.0.120 255.255.255.0 CONFIG
WCCP SQUID CONFIG
[root@srv-squidwccp ~]# grep ^wccp /etc/squid/squid.conf
wccp2_router 172.30.0.120
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
[root@srv-squidwccp ~]# grep ^http_port /etc/squid/squid.conf
http_port 172.30.0.10:3128 transparent
http_port 172.30.0.10:80 transparent
CentOS5 Kernel 2.6.18-92.1.17.el5
The IPTables is turned off.
11-26-2008 07:22 AM
Web filtering would block traffic between the Firewall and the Squid, perhaps it is not, perhaps it is blocking the traffic from the Squid to the client which is actually port 80.
11-27-2008 06:34 AM
Thanks for your help but i don't understand your comment, please could you explain it in another way... Thanks once again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide