02-09-2010 07:53 AM - edited 03-04-2019 07:27 AM
The configuration is on ASA 5520 device.
WCCP is not working as i can see from the show commands. The router id is -not yet determined-. Why is that? Any help will be appriciated.
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 0
Redirect access-list: WCCP-Redirect
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: WCCP-Group
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
wccp interface Inside web-cache redirect in
wccp web-cache redirect-list WCCP-Redirect group-list WCCP-Group
access-list WCCP-Redirect extended permit tcp host 10.1.1.1 any eq www
access-list WCCP-Group extended permit ip host 10.1.1.4 any
10.1.1.1 (Client Machine)
10.1.1.4 (Squid Server)
Both are in same VLAN
02-09-2010 09:46 AM
Hello Mrbzu,
be aware that OSI layer2 redirection is not supported by ASA
>> The Layer 2 redirect method is not supported; only GRE encapsulation is supported.
see
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094763
>> because the security appliance takes care of redirecting requests to cache engines. When the security appliance knows when a packet needs redirection, it skips TCP state tracking, TCP sequence number randomization, and NAT on these traffic flows.
probably the cache should be on another interface to be able to use GRE encapsulation..
Hope to help
Giuseppe
02-25-2010 01:59 PM
Hi!
The Cisco ASA config is correct.
Add this to your squid.conf:
http_port 3128 transparent
wccp2_router 10.1.1.254
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
(where 10.1.1.254 is the ASA IP Address for inside)
And run this in your bash:
ifconfig gre0 inet 127.0.0.2 netmask 255.255.255.0 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
iptables -F -t nat
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.1.4:3128
...and tell me the results :-)
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide