On Sat, Dec 08, 2007, Jason Gauthier wrote: > Help me understand the logic (I know you don't have a set up like this > in practice) > > I create a GRE tunnel from linux->ASA. > I then use iptables to grab everything that hits that GRE tunnel to send > it the squid proxy. > > iptables -t nat -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j DNAT > --to-destination 192.168.79.2:3129 > > If I have multiple instances of squid, should I have one GRE tunnel per > instance? Otherwise, it will not matter how many instances I have.. > they will all be picked up by the one GRE tunnel. The trouble is that the traffic from the proxy to the ASA will be returning not via GRE, but via direct next-hop (ie, just normal IP over ethernet.) This is fine normally but the PIX/ASA is "special". I'm -guessing- that the root problem is that: Same interface: * client -> proxy goes via WCCPv2 and GRE; * proxy -> client if they're on the same subnet goes straight back to the client and not via the ASA itself; Different interface: * client -> proxy goes via WCCPv2 and GRE; * proxy -> client needs to go via the ASA, but with a spoofed source address (ie, the "pretend" internet http server address), and the ASA is unhappy with this. I can't be sure without owning a PIX/ASA. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
