Cisco ASA 5540, Squid 3.1 and WCCP2....It works?

rom · ‎06-21-2011

Hello.

I have been for couple of days, reading, google in and yet i have not found this configuration to work:

Squid 3.1

Cisco ASA 5540 8.2(3)

Squid Conf:

http_port 8080 transparent

wccp2_router {internal-ASA-IP}

wccp2_service standard 0 password=123

Squid Server:

iptunnel add gre1 mode gre remote {external-ASA-IP} local {Squid-IP} dev eth0

ifconfig gre1 127.0.0.2 up

iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 8080

echo 0 >/proc/sys/net/ipv4/conf/gre1/rp_filter

echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter

ASA Conf:

access-list wccp extended deny tcp host {Squid-IP} any eq www inactive

access-list wccp extended permit tcp host {my-machine-for-testing-purpose} any eq www

access-list wccp-server extended permit ip host {Squid-IP} any

wccp web-cache redirect-list wccp group-list wccp-server password *****

wccp interface INTERNAL web-cache redirect in

Squid and ASA are in the same segment.

Any ideas? suggestions?

Rom

Phillip Strelau · ‎06-21-2011

Hi Rom,

Here's what I have configured on Ubuntu which is up and running. Do you see a cache engine come up in the "show wccp" output on the ASA?

Squid Server

modprobe ip_gre
iptunnel add wccp0 mode gre remote 192.168.1.1 local 192.168.1.5 dev eth0
ifconfig wccp0 192.168.1.5 netmask 255.255.255.0 up

echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 >/proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A POSTROUTING -j MASQUERADE

Squid conf

acl bad url_regex "/etc/squid/squid-block-acl.conf"

acl bad_url dstdomain "/etc/squid/squid-block-acl.conf"

http_port 3128 transparent

Squid-block-acl.conf

yahoo.com

rom · ‎06-21-2011

Thanks Phillip! But didn't work :-(....

Ubuntu? I am using Fedora 14.....Should I try it?

This is the "sh wccp":

Global WCCP information:

Router information:

Router Identifier: {ext-ASA-IP}

Protocol Version: 2.0

Service Identifier: web-cache

Number of Cache Engines: 1

Number of routers: 1

Total Packets Redirected: 2463

Redirect access-list: wccp

Total Connections Denied Redirect: 79

Total Packets Unassigned: 1095

Group access-list: wccp-server

Total Messages Denied to Group: 16

Total Authentication failures: 0

Total Bypassed Packets Received: 0

Question:

In your reply, you pasted :

iptunnel add wccp0 mode gre remote 192.168.1.1 local 192.168.1.5 dev eth0

ifconfig wccp0 192.168.1.5 netmask 255.255.255.0 up

If I use it as is, for some reason I loose network connection. That a problem.....

I tried, from another colleague changing to :

iptunnel add wccp0 mode gre remote 192.168.1.1 local 192.168.1.5 dev eth0

ifconfig wccp0 127.0.0.2 netmask 255.255.255.0 up

Another thing is that I get the following syslog message in the ASA:

3 Jun 21 2011 14:47:23 313001 {SQUID-IP} Denied ICMP type=3, code=3 from {SQUID-IP} on interface INTERNAL

4 Jun 21 2011 14:47:23 313005 No matching connection for ICMP error message: icmp src INTERNAL:{SQUID-IP} dst identity:{ext-ASA-IP} (type 3, code 3) on INTERNAL interface. Original IP payload: protocol 47 src {ext-ASA-IP} dst {SQUID-IP}.

I get this message when I test the browser hitting a website....