Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
4
Replies

Forward from ASA5505 to Squid

derivo001
Level 1
Level 1

‎09-15-2016 10:43 AM - edited ‎03-05-2019 07:04 AM

Hi folks.

I'm searching in the last few weeks a way to forward the external requests (http/https, mostly to logon on the web servers available), from the ASA5505 appliance to the Squid proxy.

The LAN gateway is a L3 switch.
The Squid are on a different vlan and is virtual.
I already set up the squid to act as a reverse proxy, so I can use an unique public ip address with multiple vhosts.

How can I configure the ASA to forward this external requests to the Squid? Do I need to use WCCP?

I appreciate the efforts.

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎09-16-2016 08:28 AM

It sounds like WCCP  would be what you need to forward the traffic. But my memory is that WCCP on ASA requires that the proxy server be accessed by the same interface as the user traffic and it does not sound like that is the case in what you describe.

HTH

Rick

HTH

Rick
0 Helpful

derivo001
Level 1
Level 1
In response to Richard Burts

‎09-16-2016 10:10 AM

I think that the route-map function on ASA can help me to solve this issue.

During the reading of some articles, I founded the route-map which consists in create an access list denying everything different than a http request. An example is attached.

And then just point a next hop address to redirect to Squid.

I really expect that it can works for me.

What do you think?

Thanks in advance.

Preview file
40 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to derivo001

‎09-17-2016 02:04 AM

WCCP was developed for communication between the Cisco and a caching server. It provides forwarding traffic from Cisco to the caching server and also provides a mechanism through which the caching server can send traffic back to the Cisco. The PBR solution might take care of the first part where Cisco sends to the server but would not provide the second part where the server returns traffic to the Cisco. I do not have enough experience with Squid to know whether return traffic is a factor or not. So your PBR might work fine or it might not.

HTH

Rick

HTH

Rick
0 Helpful

derivo001
Level 1
Level 1
In response to Richard Burts

‎09-27-2016 03:58 PM

Hi Richard.

The necessity is to redirect the external requests (users over the web - ingress interface is fa0/0) to my internal web servers (that is located at fa0/1) and the proxy server is in the same interface as the web servers. I did the squid configuration as a reverse proxy, because we want to use an unique public ip address and the proxy will match the different sub-domains located as a virtual hosts over the web servers. It is a quite hard to do this configuration because these kind of information are deeply pulverized over the web regarding wccp, squid, reverse, pbr and so on. I will try today the route-map configuration and I let you know about the results. I'm not sure if even my squid reverse configuration are right to work but I will test it. To make the wccp a reality do I need to put the proxy server outside of the LAN? How the requests will reach the web servers in this scenario?

EDIT: I found a solution to this scenario. I'm using Nginx as a reverse proxy and it works very well.

On ASA I did a nat to the nginx proxy, the acl only accepts requests in port 80 and 443 and bum! With a few lines the first web server turn reachable over the internet.

This case can be closed.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents