Search squid archive

Re: wccp transparent proxy; returned spoofed packets are dropped!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tony Dodd wrote:
> Adrian Chadd wrote:
>> Didn't someone point out a few weeks ago that Cisco only support wccp
>> redirection on
>> the same interface as clients?
>>
>> the ASA is probably (quite rightly, its a firewall!) dropping the
>> packets coming in
>> from the DMZ as they're spoofed from another interface it knows about.
>>
>> You may be short of luck; you may have to put the proxy on INSIDE. See
>> if that works.
>> I'd offer better advice but I don't have an ASA to actually do testing
>> on..
> 
> Actually, it depends on the firewall configuration mode... if it's in
> transparent mode, you're s.o.l, as the max number of interfaces == 3
> (including the management interface).  If it's in routed mode, you stand
> a better chance, and can enable communication between the interfaces.
> The logging buffer will reveal all though.
> 
> 

Well it's in routed mode; I have 4 interfaces, but I left one out of the original post for clarity.

The logged event is "Deny TCP (No Connection) from spoofed-ip/80 to client-ip/2241 flags SYN ACK"

My problem now is that my cisco-fu is weak, and the ASDM GUI offers no option to permit spoofed ack packets; at least, I couldn't find one.

I posted the same question to a cisco 'self-study' group but the responses were not helpful.

I think I'll have to put the squid on the inside interface instead of the DMZ, which is a shame.  If anyone does know how to persuade the cisco gear to allow the spoofed packets back through I'd be grateful; "allow ip any any" doesn't work.  I will push google a bit harder before I give up though.



-- 
Daniel Rose
National Library of Australia

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux