Tony Dodd wrote: > Adrian Chadd wrote: >> Didn't someone point out a few weeks ago that Cisco only support wccp >> redirection on >> the same interface as clients? >> >> the ASA is probably (quite rightly, its a firewall!) dropping the >> packets coming in >> from the DMZ as they're spoofed from another interface it knows about. >> >> You may be short of luck; you may have to put the proxy on INSIDE. See >> if that works. >> I'd offer better advice but I don't have an ASA to actually do testing >> on.. > > Actually, it depends on the firewall configuration mode... if it's in > transparent mode, you're s.o.l, as the max number of interfaces == 3 > (including the management interface). If it's in routed mode, you stand > a better chance, and can enable communication between the interfaces. > The logging buffer will reveal all though. > > Well it's in routed mode; I have 4 interfaces, but I left one out of the original post for clarity. The logged event is "Deny TCP (No Connection) from spoofed-ip/80 to client-ip/2241 flags SYN ACK" My problem now is that my cisco-fu is weak, and the ASDM GUI offers no option to permit spoofed ack packets; at least, I couldn't find one. I posted the same question to a cisco 'self-study' group but the responses were not helpful. I think I'll have to put the squid on the inside interface instead of the DMZ, which is a shame. If anyone does know how to persuade the cisco gear to allow the spoofed packets back through I'd be grateful; "allow ip any any" doesn't work. I will push google a bit harder before I give up though. -- Daniel Rose National Library of Australia