Hi PK,

thanks for reply. Is i have to use the dynamic service numbers? dynamic service numbers are from 0-254 so 443 doesn't in the range

I have created access list for redirection for https traffic and applied it on webcache but it didn't work and firewall passes this to the internet. Please help me to understand the service numbers and how to implement them. it will be very grateful.

Patricio,

PK is right, routing on your squid box will solve the problem. add the router (firewall outside interface) pointing to the the firewall inside interface IP.

Regards

Hi PK,

I have found that service group 70 is for https so i have configured accordingly but its not working and not seeing any hits as well

Global WCCP information:
    Router information:
Router Identifier:                   193.193.1.130

Protocol Version:                    2.0

    Service Identifier: web-cache
Number of Cache Engines:             1
Number of routers:                   1
Total Packets Redirected:            531
Redirect access-list:                WCCP-http
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                   WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

   Service Identifier: 5
Number of Cache Engines:             0
Number of routers:                   0
Total Packets Redirected:            0
Redirect access-list:                WCCP-ftp
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                    WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

    Service Identifier: 70
Number of Cache Engines:             0
Number of routers:                   0
Total Packets Redirected:            0
Redirect access-list:                WCCP-https
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                    WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

Hi,

After making few changes on squid for WCCP, the ASA now redirecting that traffic to squid but squid is giving error message unsupported type. will do some more investigation on this.. do any body know what specific changes are required on squid to make this working. squid is running in transparent mode.

regards

Hi ,

Is any body know that WCCP works with squid for https traffic? I am finding difficulty in working with them and failed to have working setup. neeither i have found any thing on internet for this....

Regards

Greetings,

According to the main squid page, http is supported: "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and  more."

http://www.squid-cache.org/

There are a lot of good configuration examples on this site as well, but their ASA config example is not ideal.

http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2

The config example on the page linked above uses a redirect-list ACL with the www port defined. This is incorrect  because the ASA decides what services are sent to the web-cache server based on what is negotiated for that service with the server. This means two things. 1) You should define your redirect-list ACL with all IP traffic and let the negotiation with the squid wccp server. 2) you need a sepearate redirect service number for each service type; http, https, ftp, etc.

Corrected config:

! Configure hosts to be redirected, exempt the squid server

access-list wccp_redirect extended deny ip host $SQUID-IP any
access-list wccp_redirect extended permit ip WORKSTATIONS 255.255.255.0 any

! Define the default rule for http traffic
wccp web-cache redirect-list wccp_redirect password foo

! Additional rule for https traffic where 70 corresponds with the service # on the squid server

wccp 70 redirect-list wccp_redirect password foo

! Apply both rules to the inside interface

wccp interface inside web-cache redirect in
wccp interface inside  70 redirect in

I hope this helps.

Thanks,

Brendan

Would this work for VPN users terminating in the ASA, either as clients or LAN-LAN tunnels?  It does appear it wouldn't since the VPN users would not be on the same interface as the squid box.

I have a PIX 515.

I did exactly that what you have written, but https-traffic still coming without proxy directly through PIX to the internet.

With HTTP-traffic all OK. I see it on my squid proxy.

If i set proxy for HTTPS in InternetExplorer manually - https going through squid.

Is the PIX able to route HTTPS/FTP via WCCP ?

Thank you!

What version is the PXI running?

HTTP should work as long as the squid service supports https.

PK

oops, sorry for incomplete information about PIX

PIX515E with OS PIX 8.04

with HTTP here is no problem! Everything is going through GRE-tunnel on SQUID proxy.

But HTTPS or FTP (for ex.) going DIRECTLY through PIX, without any proxy and when look on tcpdump there is no any activity on squid server, when i going to https-sites

=(

I ran into same issue - i.e. Asa did not redirect 443 traffic.

What did you do on the squid inorder to tell asa that 443is working ??

Same problem for me

WCCP + squid redirect http is OK

WCCP + squid redirect https is NOT OK

Hello

With that: http AND https are redirect to squid

http_port 192.168.255.253:3129 intercept

wccp2_router 192.168.255.254

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=XXXXX

wccp2_service dynamic 70 password=XXXXX

wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

But I have SSL error ....

I don't see "CONNECT" request on squid log

If I set https_proxy to squid on my client, it's OK, but not in WCCP/redirect mode

I have Squid for Debian 6