WCCP on different subnet with two firewalls

mrbzumrbzu · ‎02-05-2010

Hi,

I have two independent firewalls ASA5510 in the network connected together with LAN and have independent WAN links.

ASA-2 has content filtering solution and Squid server is in the subet connected to both firewall but gateway to ASA-2.

ASA-1 has the clients into the separate VLAN that needs to be proxied. So i would like that ASA-1 proxied/hhtp redirect to the squid server and then squid server went out to internet through ASA-1 using content filtering. Is it possible? i have seen that WCCP requirement is that proxy and client on same subnet.

Any help in this matter will be highly appriciated.

Regards

mrbzumrbzu · ‎02-16-2010

Is the WCCP works on different firewall interfaces/subnets where squid only resides in one subnet.

My WCCP configuration works when client and squid is on same vlan. if they are on different i got the following message on firewall.

Feb 14 12:46:16 10.16.7.1 Feb 15 2010 12:46:16 Firewall-10: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside-2:64.4.20.169/80 dst inside-squid:10.16.8.65/4158 denied due to NAT reverse path failure

Is there any way we could use WCCP on different subnets on firewall?

Is there any other solution exist to proxy the internet traffic to squid server on different subnets?

your help will be much appriciated.

Regards

Panos Kampanakis · ‎02-16-2010

The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance.

So you can have squid to go through the ASA to pull pages fine, but your users to be redirected to squid need to be behind the same interface on the ASA as the squid and be able to communicate with it.

I hope it helps.

PK