11-06-2018 04:59 AM - edited 02-21-2020 08:26 AM
Configure a transparent proxy Squid redirection with a Cisco ASA via WCCP. Squid is already configured with authorization through Active Directory (Kerberos and LDAP groups), works if the client to register proxy settings. The OS used is CentOS 7, installed on the virtual machine. The IP address of the physical interface of the proxy server is 172.31.0.200 / 24. The IP adress of the ASA internal interface is 172.31.0.4 / 24
: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:50:56:af:43:91 brd ff:ff:ff:ff:ff:ff inet 172.31.0.200/24 brd 172.31.4.255 scope global noprefixroute ens32 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:feaf:4391/64 scope link valid_lft forever preferred_lft forever
Configured tunneling in CentOS 7:
modprobe ip_gre ip tunnel add wccp0 mode gre remote 172.31.0.4 local 172.31.0.200 dev ens32 ip link set wccp0 up
Then I created /etc/sysconfig/network-scripts/ifcfg-wccp0 file. I do not understand how to describe it when in the case of a tunnel on the ASA the external and internal address of the tunnel is the same:
ONBOOT=YES DEVICE=wccp0 IPADDR=172.31.0.200 MY_INNER_IPADDR=172.31.0.200 MY_OUTER_IPADDR=172.31.0.200 PEER_INNER_IPADDR=172.31.0.4 PEER_OUTER_IPADDR=172.31.0.4
Squid settings:
http_port 172.31.0.200:3128 http_port 172.31.0.200:3127 intercept wccp2_router 172.31.0.4 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 password=cisco
ASA settings. 172.31.10.129 - the address of the test machine, while on it check.
object network SQUID host 172.31.0.200 description Squid server for WCCP access-list WCCP-TRAFFIC extended permit ip host 172.31.10.129 any4 access-list WCCP-SERVER extended permit ip object SQUID any4 wccp web-cache redirect-list WCCP-TRAFFIC group-list WCCP-SERVER password cisco wccp interface inside web-cache redirect in
But it is not working. If who faced, please help. Thanks in advance.
11-06-2018 07:01 AM
Follow below document :
have you enabled ip_forwarding to 1 ?
http://parvinderbhasin.blogspot.com/2009/06/squid-wccp-and-cisco-asa-setup.html
11-07-2018 04:36 AM
Yes, I have. And iptables is shutdown.
11-08-2018 06:34 AM - edited 11-08-2018 06:34 AM
On ASA:
asa-5550-edge# sh wccp
Global WCCP information:
Router information:
Router Identifier: XXX.XXX.XXX.XXX
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 1183
Redirect access-list: WCCP-TRAFFIC
Total Connections Denied Redirect: 0
Total Packets Unassigned: 14
Group access-list: WCCP-SERVER
Total Messages Denied to Group: 84
Total Authentication failures: 172
Total Bypassed Packets Received: 0
03-17-2020 11:40 AM
Did you figure out how to get this to work? We are looking to do the same. Thanks.
03-18-2020 07:45 AM
Hi,
Once you've done your configuration on both SQUID and ASA, go on the ASA and post the output of: "show wccp" and "show wccp x detail", also post your ASA and SQUID relevant config.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide