12-30-2010 02:18 PM - edited 03-06-2019 02:46 PM
I need to setup a transparent proxy server on a relatively small network and I’m thinking WCCP and Squid would be a good fit. The network has a PIX firewall with three interfaces, the first interface connects to the internet router (not Cisco kit), the second interface connects to the internal network and the third interface connects to the DMZ which will contain the Squid proxy server.
Typically where is WCCP implemented in a network to intercept the traffic and re-direct to the proxy server? Ideally should the WCCP interception be performed on the PIX or on the internet router which is outside the network? I could replace the internet router with Cisco kit if this would be the best place to intercept the traffic. Unfortunately there are no Catalyst 4500 or 6500 switches on the network.
Are there any limitations on running WCCP on a PIX?
Also, are there any best practices for WCCP implementing for a transparent proxy?
01-01-2011 04:22 AM
Base on the topology provided, PIX would be the only device where you would implement WCC, however, PIX only supports WCCP when the traffic that needs to be transparently redirected is behind the same interface as the proxy server. Therefore, you can't place your Squid proxy in the DMZ.
Typically if you have an internal router, you would implement the WCCP on that internal router as router has more flexible WCCP feature. Definitely not to implement WCCP on your internet router as that would be outside your internal network already.
Here is configuration guide on WCCP on PIX firewall for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445
Hope that helps.
01-02-2011 07:53 PM
I second that. Create a security segment between the pix firewall and core device, maybe a /29 if it makes sense and make squid part of this segment.
Setup WCCP to "redirect in" on the inside facing interface for "webcache" port 80. Web traffic will be redirected to squid. Make sure the squid IP is allowed for acl/natting on PIX as its IP will be used for all port 80 traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide