I have problems getting Transparent Proxy to work and would be glad if
you can look thru this
I have a Cisco router with wccp enabled and the squid server compiled
from source tarball runs on a Fedora Core 4. My understanding is that It
is not necessary to patch the kernel as ip_gre is already enabled.
Proxying works when browser configuration is done, however transparent
proxying does not work.
The message from the squid box (192.168.1.23) is
IP 192.168.1.18 > 192.168.1.23: gre-proto-0x883e
IP 192.168.1.23 >192.168.1.18: icmp host 192.168.1.23 unreachable
-admin prohibited
while the router (192.168.1.18) gives same message via
debug ip wccp packet
and
debug ip icmp
/*Mar 1 01:12:09.775: WCCP-PKT: Received valid Here_I_Am packet
from 192.168.1.23 w/rcvd_id 00000113
*Mar 1 01:12:09.775: WCCP-PKT: Sending I_See_You packet to
192.168.1.23 w/ rcvd_id 00000114
*Mar 1 01:12:10.071: ICMP: dst (192.168.1.18) prohibited
unreachable rcv from 192.168.1.23
*Mar 1 01:12:12.991: ICMP: dst (192.168.1.18) prohibited
unreachable rcv from 192.168.1.23
*Mar 1 01:12:19.003: ICMP: dst (192.168.1.18) prohibited
unreachable rcv from 192.168.1.23
*Mar 1 01:12:20.235: WCCP-PKT: Received valid Here_I_Am packet
from 192.168.1.23 w/rcvd_id 00000114
*Mar 1 01:12:20.235: WCCP-PKT: Sending I_See_You packet to
192.168.1.23 w/ rcvd_id 00000115
*Mar 1 01:12:30.519: WCCP-PKT: Received valid Here_I_Am packet
from 192.168.1.23 w/rcvd_id 00000115
*Mar 1 01:12:30.519: WCCP-PKT: Sending I_See_You packet to
192.168.1.23 w/ rcvd_id 00000116
*Mar 1 01:12:31.395: ICMP: dst (192.168.1.18) prohibited
unreachable rcv from 192.168.1.23
/
The router recognizes the squid box as confirmed from the message below.
/Router#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.1.18
Protocol Version: 1.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 166
Redirect access-list: 150
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0/
the ip tunnel as been set as shown
My router config is below
/Cisco Internetwork Operating System Software
IOS (tm) 3700 Software (C3745-IS-M), Version 12.2(13)T10,
RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Wed 26-Nov-03 02:37 by nmasa
Image text-base: 0x60008940, data-base: 0x61994000
ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
Router uptime is 1 hour, 7 minutes
System returned to ROM by power-on
System image file is "flash:c3745-is-mz.122-13.T10.bin"
cisco 3745 (R7000) processor (revision 2.0) with 196608K/11264K
bytes of memory.
Processor board ID JMX0802L3EA
R7000 CPU at 350Mhz, Implementation 39, Rev 3.3, 256KB L2,
2048KB L3 Cache
MICA-6DM Firmware: CP ver 2730 - 5/23/2001, SP ver 2730 - 5/23/2001.
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
2 FastEthernet/IEEE 802.3 interface(s)
30 terminal line(s)
DRAM configuration is 64 bits wide with parity disabled.
151K bytes of non-volatile configuration memory.
125440K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x101
/
Below is the router configuration fileRouter#sh conf
/Using 1285 out of 155640 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
no logging buffered
enable secret 5 $1$.nU6$zrTYq3u9FqrEs1z3VR6yO/
enable password 1234
!
ip subnet-zero
ip wccp version 1
ip wccp web-cache redirect-list 150
!
!
!
!
!
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.18 255.255.255.0
no ip unreachables
ip nat inside
no ip mroute-cache
speed auto
half-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 64.110.65.17 255.255.255.128
no ip unreachables
ip wccp web-cache redirect out
ip nat outside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
router rip
network 64.0.0.0
!
ip nat pool ovrld 64.110.65.18 64.110.65.18 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip http server
!
!
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 150 permit tcp 192.168.1.0 0.0.0.255 any
access-list 150 deny tcp any any
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
line 33 62
flush-at-activation
line aux 0
line vty 0 4
password 12345
login
!
end
/