06-21-2011 08:24 AM - edited 03-11-2019 01:48 PM
Hello.
I have been for couple of days, reading, google in and yet i have not found this configuration to work:
Squid 3.1
Cisco ASA 5540 8.2(3)
Squid Conf:
http_port 8080 transparent
wccp2_router {internal-ASA-IP}
wccp2_service standard 0 password=123
Squid Server:
iptunnel add gre1 mode gre remote {external-ASA-IP} local {Squid-IP} dev eth0
ifconfig gre1 127.0.0.2 up
iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 8080
echo 0 >/proc/sys/net/ipv4/conf/gre1/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter
ASA Conf:
access-list wccp extended deny tcp host {Squid-IP} any eq www inactive
access-list wccp extended permit tcp host {my-machine-for-testing-purpose} any eq www
access-list wccp-server extended permit ip host {Squid-IP} any
wccp web-cache redirect-list wccp group-list wccp-server password *****
wccp interface INTERNAL web-cache redirect in
Squid and ASA are in the same segment.
Any ideas? suggestions?
Rom
06-21-2011 11:10 AM
Hi Rom,
Here's what I have configured on Ubuntu which is up and running. Do you see a cache engine come up in the "show wccp" output on the ASA?
Squid Server
modprobe ip_gre
iptunnel add wccp0 mode gre remote 192.168.1.1 local 192.168.1.5 dev eth0
ifconfig wccp0 192.168.1.5 netmask 255.255.255.0 up
echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -j MASQUERADE
Squid conf
acl bad url_regex "/etc/squid/squid-block-acl.conf"
acl bad_url dstdomain "/etc/squid/squid-block-acl.conf"
http_port 3128 transparent
Squid-block-acl.conf
yahoo.com
06-21-2011 11:51 AM
Thanks Phillip! But didn't work :-(....
Ubuntu? I am using Fedora 14.....Should I try it?
This is the "sh wccp":
Global WCCP information:
Router information:
Router Identifier: {ext-ASA-IP}
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 2463
Redirect access-list: wccp
Total Connections Denied Redirect: 79
Total Packets Unassigned: 1095
Group access-list: wccp-server
Total Messages Denied to Group: 16
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Question:
In your reply, you pasted :
iptunnel add wccp0 mode gre remote 192.168.1.1 local 192.168.1.5 dev eth0
ifconfig wccp0 192.168.1.5 netmask 255.255.255.0 up
If I use it as is, for some reason I loose network connection. That a problem.....
I tried, from another colleague changing to :
iptunnel add wccp0 mode gre remote 192.168.1.1 local 192.168.1.5 dev eth0
ifconfig wccp0 127.0.0.2 netmask 255.255.255.0 up
Another thing is that I get the following syslog message in the ASA:
3 Jun 21 2011 14:47:23 313001 {SQUID-IP} Denied ICMP type=3, code=3 from {SQUID-IP} on interface INTERNAL
4 Jun 21 2011 14:47:23 313005 No matching connection for ICMP error message: icmp src INTERNAL:{SQUID-IP} dst identity:{ext-ASA-IP} (type 3, code 3) on INTERNAL interface. Original IP payload: protocol 47 src {ext-ASA-IP} dst {SQUID-IP}.
I get this message when I test the browser hitting a website....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide