Re: [squid-users] Squid and WCCP (ASA)
On Tue, Nov 13, 2007, Jason Gauthier wrote: All, I asked some generic questions earlier in the week and got some great documentation. This has led me to a working WCCP/Squid implementation. I thank you. Good-o. Care to share your WCCP + ASA setup so I can put it into the Squid Wiki? However, I still have problems. Firstly, please understand that I am using WCCP on a Cisco ASA. (Firewall, not the same IOS as a router). I have multiple interfaces on this ASA that I want to make work. (4, to be exact). I've set squid to register with WCCP on the inside interface. Once I redirect traffic from the inside, it works. I have a wireless interface, where my guests go. This interface also works when I add it. I have two other interfaces. One for my VPN users, and the other for authenticated wireless users. NEITHER of these interfaces work, and I cannot figure out why. Cisco has claimed that: As the previous engineer quoted from the ASA config guide: WCCP redirect is supported only on the ingress of an interface. The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance. They are using this as an excuse to tell me that what I want to do is not possible. However, I've explained that I am doing exactly this with two interfaces right now. I haven't heard back from them quite yet. I also think they are using the words in this text to their advantage. Hm, security levels perhaps? What are the security levels for each of your interfaces? It -is- a closed source firewall, they can claim whatever they want. Noone's sued Cisco over lack of functionality/features that I know about and won.. :) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
RE: [squid-users] Squid and WCCP (ASA)
I asked some generic questions earlier in the week and got some great documentation. This has led me to a working WCCP/Squid implementation. I thank you. Good-o. Care to share your WCCP + ASA setup so I can put it into the Squid Wiki? Adrian, I was able to pull off the working config from the wiki :) Job well done! Hm, security levels perhaps? What are the security levels for each of your interfaces? It -is- a closed source firewall, they can claim whatever they want. Noone's sued Cisco over lack of functionality/features that I know about and won.. :) Turn out I can do this. But I have to choose between authenticated proxy and transparent. I want both. So I am moving to test WCCP off the ASA and onto the core router. Thanks everyone!
Re: [squid-users] Squid and WCCP (ASA)
On Wed, Nov 14, 2007, Jason Gauthier wrote: Good-o. Care to share your WCCP + ASA setup so I can put it into the Squid Wiki? Adrian, I was able to pull off the working config from the wiki :) Job well done! Cool! Turn out I can do this. But I have to choose between authenticated proxy and transparent. I want both. So I am moving to test WCCP off the ASA and onto the core router. You won't be able to get both of them, sorry! Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Re: [squid-users] Squid and WCCP (ASA)
On tis, 2007-11-13 at 09:34 -0500, Jason Gauthier wrote: I have multiple interfaces on this ASA that I want to make work. (4, to be exact). I've set squid to register with WCCP on the inside interface. Once I redirect traffic from the inside, it works. I have a wireless interface, where my guests go. This interface also works when I add it. I have two other interfaces. One for my VPN users, and the other for authenticated wireless users. NEITHER of these interfaces work, and I cannot figure out why. Cisco has claimed that: I would guess that either firewalling or routing messes things up. Have you verified with tcpdump how far things get? I.e. do you see the SYN packets from those networks or is it completely silent? Please remember that routing when using WCCP is a bit special. The cahce engine will respond with the originally contacted ip:port to the client source ip:port, and this might easily get trapped in firewall or nat rules when running WCCP on a firewall. As the previous engineer quoted from the ASA config guide: WCCP redirect is supported only on the ingress of an interface. The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance. So I would say you are already bending the limits of what this device is supposed to support. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid and WCCP (ASA)
All, Has anyone been successful in using squid (2.6) to connect and utilize WCCPv2 on a Cisco ASA? I have configured it, but I'm not getting web traffic. I'm confused mostly on all the conflicting commands for WCCP that I find the on the web for squid. If someone could at least point me in a definitive document on that, it would help a lot. The Authoritative documentation is: http://www.squid-cache.org/Versions/v2/2.6/cfgman/ with some examples: http://wiki.squid-cache.org/FrontPage?action=fullsearchcontext=180value=wccptitlesearch=Titles Amos