01-23-2018 09:41 AM - edited 03-05-2019 09:48 AM
Hi,
I've been having major issues getting WCCP and the Zone Based Firewall working together on an ISR4331. To rule out the Zone Based Firewall, I've removed all of its configuration. I still can't get WCCP to work!
Clients are on 10.10.0.0/16, the Sophos web appliance is on 192.168.100.254 and the Internet connection is currently behind a NATing device as I'm reluctant to connect the router to the Internet without being able to defend itself although ultimately it will have a direct Internet connection.
I had this setup running on a Cisco 2821 (out of the scrap pile, no firewall though) as a proof of concept but using L2 WCCP as that's all that would work with the 2821. Everything worked fine (and still does when I plug the POC router back in)! With the ISR4331 I can't even get L2 WCCP working but I understand that I really need it to be GRE in order to play nicely with the ZBFW (and I really want the ZBFW to keep the router protected). The Sophos appliance can be configured for either L2 or GRE but not both.
Here are the relevant parts of the config from the ISR4331:
boot-start-marker boot system flash bootflash:isr4300-universalk9.16.06.02.SPA.bin boot-end-marker ! ip dhcp excluded-address 10.10.0.1 10.10.0.255 ! ip dhcp pool Guests network 10.10.0.0 255.255.0.0 dns-server 8.8.8.8 8.8.4.4 domain-name xxx-guest.local default-router 10.10.0.1 lease 0 4 ! ip wccp web-cache mode closed password 7 xxxxxxxxxxxxxxxxxx ip wccp 70 password 7 xxxxxxxxxxxxxxxxxx ! license boot suite FoundationSuiteK9 ! redundancy mode none ! interface GigabitEthernet0/0/0 description Internet ip address 192.168.1.251 255.255.255.0 ip nat outside negotiation auto ip virtual-reassembly ! interface GigabitEthernet0/0/1 description Guests ip address 10.10.0.1 255.255.0.0 ip nat inside ip wccp web-cache redirect in ip wccp 70 redirect in negotiation auto ip virtual-reassembly ! interface GigabitEthernet0/0/2 description DMZ ip address 192.168.100.1 255.255.255.0 ip nat inside ip wccp redirect exclude in negotiation auto ip virtual-reassembly ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 172.30.101.101 255.255.254.0 negotiation auto ! ip nat inside source list 100 interface GigabitEthernet0/0/0 overload ip forward-protocol nd no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.1.254 ! access-list 100 remark Addresses to NAT access-list 100 permit ip 10.10.0.0 0.0.255.255 any access-list 100 permit ip 192.168.100.0 0.0.0.255 any
When the Sophos appliance is configured with L2 WCCP, I see:
#sh ip wccp summ WCCP version 2 enabled, 2 services Service Clients Routers Assign Redirect Bypass ------- ------- ------- ------ -------- ------ Default routing table (Router Id: 192.168.1.251): web-cache 1 1 MASK L2 L2 70 1 1 MASK L2 L2 #sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.1.251 Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 0 Process: 0 CEF: 0 Platform: 0 Service mode: Closed Service Access-list: -none- Total Packets Dropped Closed: 4 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 Platform: 0
And with GRE WCCP:
#sh ip wccp summ WCCP version 2 enabled, 2 services Service Clients Routers Assign Redirect Bypass ------- ------- ------- ------ -------- ------ Default routing table (Router Id: 192.168.1.251): web-cache 1 1 HASH GRE GRE 70 1 1 HASH GRE GRE #sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.1.251 Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 0 Process: 0 CEF: 0 Platform: 0 Service mode: Closed Service Access-list: -none- Total Packets Dropped Closed: 64 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 Platform: 0 GRE tunnel interface: Tunnel1 #sh ip int brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 192.168.1.251 YES manual up up GigabitEthernet0/0/1 10.10.0.1 YES NVRAM up up GigabitEthernet0/0/2 192.168.100.1 YES NVRAM up up GigabitEthernet0 172.30.101.101 YES NVRAM up up Tunnel0 192.168.100.1 YES unset up up Tunnel1 192.168.100.1 YES manual up up
Because web-cache is "Closed" I can't get to HTTP sites (which is how it should be if the Sophos appliance is not available). I can however ping sites over the Internet so I know that the routing is setup correctly and if I remove the WCCP redirects on Gi0/0/1 then my access starts working.
Does anyone have any ideas? Many, many thanks in advance,
Neil.
02-08-2018 08:51 AM
Hi Georg,
Many thanks for the reply. I'm trying to get WCCP GRE to work with the ZBF as I'd read that L2 wouldn't work (unfortunately we had to use L2 for our proof of concept as all I had available was a 2821 that doesn't support GRE). The 2921 definitely supports GRE (this is the output from the 2921):
#sh ip wccp summary WCCP version 2 enabled, 2 services Service Clients Routers Assign Redirect Bypass ------- ------- ------- ------ -------- ------ Default routing table (Router Id: nnn.nnn.nnn.nnn): web-cache 1 1 HASH GRE GRE 70 1 1 HASH GRE GRE
The configuration is as above and I can't spot anything that I've missed!
Regards,
Neil.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: