cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4710
Views
0
Helpful
5
Replies

How to configure Cisco ASA and Squid with WCCP2 ?

gadzhikuliev
Level 1
Level 1

Configure a transparent proxy Squid redirection with a Cisco ASA via WCCP. Squid is already configured with authorization through Active Directory (Kerberos and LDAP groups), works if the client to register proxy settings. The OS used is CentOS 7, installed on the virtual machine. The IP address of the physical interface of the proxy server is 172.31.0.200 / 24. The IP adress of the ASA internal interface is 172.31.0.4 / 24

 

: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:af:43:91 brd ff:ff:ff:ff:ff:ff
    inet 172.31.0.200/24 brd 172.31.4.255 scope global noprefixroute ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feaf:4391/64 scope link
       valid_lft forever preferred_lft forever

Configured tunneling in CentOS 7:

modprobe ip_gre
ip tunnel add wccp0 mode gre remote 172.31.0.4 local 172.31.0.200 dev ens32
ip link set wccp0 up

Then I created /etc/sysconfig/network-scripts/ifcfg-wccp0 file. I do not understand how to describe it when in the case of a tunnel on the ASA the external and internal address of the tunnel is the same:

ONBOOT=YES
DEVICE=wccp0
IPADDR=172.31.0.200
MY_INNER_IPADDR=172.31.0.200
MY_OUTER_IPADDR=172.31.0.200
PEER_INNER_IPADDR=172.31.0.4
PEER_OUTER_IPADDR=172.31.0.4

Squid settings:

http_port 172.31.0.200:3128
http_port 172.31.0.200:3127 intercept

wccp2_router 172.31.0.4
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=cisco

ASA settings. 172.31.10.129 - the address of the test machine, while on it check.

object network SQUID
   host 172.31.0.200
   description Squid server for WCCP

access-list WCCP-TRAFFIC extended permit ip host 172.31.10.129 any4
access-list WCCP-SERVER extended permit ip object SQUID any4 

wccp web-cache redirect-list WCCP-TRAFFIC group-list WCCP-SERVER password cisco
wccp interface inside web-cache redirect in

But it is not working. If who faced, please help. Thanks in advance.

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

Follow below document :

 

have you enabled ip_forwarding to 1 ?

 

http://parvinderbhasin.blogspot.com/2009/06/squid-wccp-and-cisco-asa-setup.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes, I have. And iptables is shutdown.

On ASA:

asa-5550-edge# sh wccp

Global WCCP information:
Router information:
Router Identifier: XXX.XXX.XXX.XXX
Protocol Version: 2.0

Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 1183
Redirect access-list: WCCP-TRAFFIC
Total Connections Denied Redirect: 0
Total Packets Unassigned: 14
Group access-list: WCCP-SERVER
Total Messages Denied to Group: 84
Total Authentication failures: 172
Total Bypassed Packets Received: 0

Did you figure out how to get this to work? We are looking to do the same. Thanks.

Hi,

 

   Once you've done your configuration on both SQUID and ASA, go on the ASA and post the output of: "show wccp" and "show wccp x detail", also post your ASA and SQUID relevant config.


Regards,

Cristian Matei.

Review Cisco Networking for a $25 gift card