Not to revive a dead post from six years ago but this is the top result when searching for ASA, WCCP and multiple interfaces. So here's how to configure WCCP on multiple interfaces using ASA 9.6(1), Squid 3.5.19, and RHEL 6 with everything persisting after reboot. You only need one GRE tunnel between Squid and the ASA, however the Squid box needs to have a NIC on each VLAN as others have indicated. One key note - the ASA uses it's highest IP for the router ID and that cannot be changed. To prevent potential issues and confusion I created a dummy wccp interface but in most cases you can probably just use the default highest. Network Info ASA inside: 192.168.1.1 ASA dmz: 192.168.2.1 ASA wccp: 192.168.99.1 ("dummy" iface... not really used) Squid inside: 192.168.1.2 Squid dmz: 192.168.2.2 ASA Config
access-list wccp-servers extended permit ip host 192.168.1.2 any access-list wccp-traffic extended deny ip host 192.168.1.2 any access-list wccp-traffic extended deny ip host 192.168.2.2 any access-list wccp-traffic extended permit tcp 192.168.1.0 255.255.255.0 any eq www access-list wccp-traffic extended permit tcp 192.168.2.0 255.255.255.0 any eq www access-list wccp-traffic extended deny ip any any wccp web-cache redirect-list wccp-traffic group-list wccp-servers wccp interface inside web-cache redirect in wccp interface dmz web-cache redirect in
wccp2_router 192.168.1.1 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0
iptables /etc/sysconfig/iptables on RHEL based systems
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128 COMMIT
RHEL WCCP/GRE tunnel config /etc/sysconfig/network-scripts/ifcfg-wccp0 (again - RHEL based systems )
DEVICE="wccp0" BOOTPROTO="none" ONBOOT="yes" TYPE="GRE" LOCAL_DEVICE="bond0" PEER_OUTER_IPADDR="192.168.99.1" PEER_INNER_IPADDR="192.168.99.1" MY_OUTER_IPADDR="192.168.1.2" MY_INNER_IPADDR="192.168.1.2" USERCTL="no" IPV6INIT="no" IPV6_AUTOCONF="no"
Kernel params /etc/sysctl.conf ( RHEL!!! )
net.ipv4.ip_forward = 1 net.ipv4.conf.bond0.rp_filter = 0 net.ipv4.conf.bond1.rp_filter = 0 net.ipv4.conf.wccp0.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0
Reboot for kernel changes to take effect (this can also be done via the /proc filesystem and no reboot, if necessary).
... View more
I attempted to order a 5506W-X from CDW and they informed me that the product has been discontinued. A few other sources online seem to corroborate that, however I cannot find any "official" word from Cisco that the product has been discontinued.
Does anybody have any additional information on this? The 5506 was rather new, why would they discontinue it so soon? And is there a successor planned?
... View more
I have working configs for both a Cisco IPSec remote access VPN + L2TP-IPSec remote access VPN, however I can only get one to work at a time (depending on whatever dynamic map has a lower sequence number defined in my crypto map). I get Phase 2 errors either way (when Cisco IPSec works L2TP clients fail w/ Phase 2 errors and vice versa). Is there a way to accommodate both remote access VPN types at the same time? ASA Version 9.2(1) crypto ipsec ikev1 transform-set home esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set home-l2tp esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set home-l2tp mode transport crypto ipsec security-association pmtu-aging infinite crypto dynamic-map home_dyn_map 10 set ikev1 transform-set home crypto dynamic-map home_dyn_map 10 set security-association lifetime seconds 288000 crypto dynamic-map home_dyn_map 10 set reverse-route crypto dynamic-map home-l2tp_dyn_map 10 set ikev1 transform-set home-l2tp crypto map home_map 10 ipsec-isakmp dynamic home_dyn_map crypto map home_map 20 ipsec-isakmp dynamic home-l2tp_dyn_map crypto map home_map interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 ipsec-over-tcp port 10000 crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 43200 group-policy home internal group-policy home attributes dns-server value 192.168.10.2 vpn-tunnel-protocol ikev1 group-policy home-l2tp internal group-policy home-l2tp attributes dns-server value 192.168.10.2 vpn-tunnel-protocol l2tp-ipsec tunnel-group home type remote-access tunnel-group home general-attributes address-pool vpnpool default-group-policy home tunnel-group home ipsec-attributes ikev1 pre-shared-key ***** tunnel-group home-l2tp type remote-access tunnel-group home-l2tp general-attributes address-pool vpnpool default-group-policy home-l2tp tunnel-group home-l2tp ipsec-attributes ikev1 pre-shared-key ***** tunnel-group home-l2tp ppp-attributes authentication ms-chap-v2 Currently the Cisco IPSec VPN is working but if I lower the sequence number and change: crypto map home_map 20 ipsec-isakmp dynamic home-l2tp_dyn_map to crypto map home_map 5 ipsec-isakmp dynamic home-l2tp_dyn_map The L2TP VPN will work instead (then Cisco IPSec clients will fail w/ Phase 2 errors). Any advice on how to accommodate both remote access VPN types at the same time?
... View more
I'm now fairly confident I know why this is happening: EMBLEM format. I cannot for the life of me find the command to disable this. I've even went as far as configuring the HTTP server and checking for an option there. Nothing. From online documentation I've found, apparently there is a "Event Notifications Setup" page where I can supposedly configure this (see http://www.cisco.com/en/US/docs/wireless/access_point/350/configuration/guide/ap350axc.html ). The http interface on my AP does have a page to configure the Event Log, however nothing regarding Emblem format and it's not titled "Event Notification Setup". So the question now is: Anybody know how to disbale EMBLEM syslog format on an 1130AP?
... View more
I can't figure out how to disable the syslog counter on my 1131AG WAP. See the below example log, the counter (number 3614) is right next to the hostname and increments with every syslog message: Oct 25 07:31:10 airhead 3614: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 7c61.93a4.8332 Associated KEY_MGMT[WPAv2 PSK] I've tried both of the following commands, neither one removes the counter: no service sequence-numbers no logging count Version Info: Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JDA, RELEASE SOFTWARE (fc1) BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(8)JEA, RELEASE SOFTWARE (fc2) Does anybody have any ideas how to rid the syslog counter
... View more
Hello, I'm trying to get a remote access VPN working using an ASA and Cisco VPN client with no split tunneling. The VPN works kinda, I can access devices on the inside when I connect, but I cannot access the Internet. I don't see any errors in the ASA logfile except these: Jul 1 04:59:15 gatekeeper %ASA-3-305006: portmap translation creation failed for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137 Jul 1 04:59:15 gatekeeper %ASA-3-305006: portmap translation creation failed for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53 There's only one public IP address which is DHCP assigned to the outside interface. The inside network is 192.168.1.0/24 which is PAT'ed to the outside interface and the VPN network is 192.168.47.X. I think my problem is that the .47 net is not being NAT'ed to the outside properly and I'm not sure how to set it up exactly. I can't fathom how this is supposed to work since the the VPN net technically originates from the outside already. Here's all the relevant config: access-list vpn extended permit ip any 192.168.47.0 255.255.255.0 mtu inside 1500 mtu outside 1500 ip local pool vpnpool 192.168.47.200-192.168.47.220 mask 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm drop ip audit attack action alarm drop icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside global (inside) 2 interface global (outside) 1 interface nat (inside) 0 access-list vpn nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 2 192.168.47.0 255.255.255.0 outside static (inside,outside) tcp interface 3074 XBOX360 3074 netmask 255.255.255.255 static (inside,outside) udp interface 3074 XBOX360 3074 netmask 255.255.255.255 static (inside,outside) udp interface 88 XBOX360 88 netmask 255.255.255.255 static (inside,outside) tcp interface https someids https netmask 255.255.255.255 I can post more of the config if needed. Changing 'nat (outside) 2 192.168.47.0 255.255.255.0 outside' to 'nat (outside) 2 access-list vpn outside' yields these: Jul 1 06:18:35 gatekeeper %ASA-3-305005: No translation group found for udp src outside:192.168.47.200/56003 dst outside:220.127.116.11/53 So how do I properly NAT VPN traffic so it can reach the Internet?
... View more