You probably can try to disable the unicast RPF feature on the ASA, i know how to it works on Routers but its probably pretty similar to the ASA Series (i also do not have one for testing... i wish i could), altough thats not the Best method because it Will fully disable uRPF verification. For disable uRPF you need to: * must have ip cef avaliable. ASA(conf)# ip cef *disable the uRPF on the desired interface: ASA(conf)# no ip verify unicast reverse-path For enhanced security you should allow only the "needed" spoofed packets to flow thru it... to make it properly Just set up an ACL allowing it and add it to the command: ASA(conf)# ip verify unicast reverse-path ACL I also dont really know if its goin to solve your problem because i missed your initial post and couldnt find it on the list anymore... you can also gather more information about RPF on: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec ur_c/fothersf/scfrpf.htm#wp1003369 Tell me how that worked out for you. Best regards, Bruno Benchimol -----Mensagem original----- De: Daniel Rose [mailto:drose@xxxxxxxxxx] Enviada em: domingo, 23 de dezembro de 2007 18:42 Para: Tony Dodd Cc: Adrian Chadd; squid-users@xxxxxxxxxxxxxxx Assunto: Re: wccp transparent proxy; returned spoofed packets are dropped! Tony Dodd wrote: > Adrian Chadd wrote: >> Didn't someone point out a few weeks ago that Cisco only support wccp >> redirection on >> the same interface as clients? >> >> the ASA is probably (quite rightly, its a firewall!) dropping the >> packets coming in >> from the DMZ as they're spoofed from another interface it knows about. >> >> You may be short of luck; you may have to put the proxy on INSIDE. See >> if that works. >> I'd offer better advice but I don't have an ASA to actually do testing >> on.. > > Actually, it depends on the firewall configuration mode... if it's in > transparent mode, you're s.o.l, as the max number of interfaces == 3 > (including the management interface). If it's in routed mode, you stand > a better chance, and can enable communication between the interfaces. > The logging buffer will reveal all though. > > Well it's in routed mode; I have 4 interfaces, but I left one out of the original post for clarity. The logged event is "Deny TCP (No Connection) from spoofed-ip/80 to client-ip/2241 flags SYN ACK" My problem now is that my cisco-fu is weak, and the ASDM GUI offers no option to permit spoofed ack packets; at least, I couldn't find one. I posted the same question to a cisco 'self-study' group but the responses were not helpful. I think I'll have to put the squid on the inside interface instead of the DMZ, which is a shame. If anyone does know how to persuade the cisco gear to allow the spoofed packets back through I'd be grateful; "allow ip any any" doesn't work. I will push google a bit harder before I give up though. -- Daniel Rose National Library of Australia