I have this setup working differently but did you get HTTPS working?
Just wondering. Trying going to an https site.
Let me know your findings.
-Parvinder Bhasin
On Jun 18, 2009, at 4:28 AM, Tom Penndorf wrote:
Daniel, Akos schrieb:
Hi,
ASA does not support any IPoverIP such as GRE. Which SW Version you
have
on ASA? Could you send me the link where it is written to create a
tunnel between the ASA and the Squid?
What is your ASA config?
"sh run interface"
"sh run wccp" or "sh run | grep wccp"
Once I tried WCCP with PIX SW Version 7.2.2 and collected my info
here:
http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht
ml
Regards,
Akos
Hi,
the wccp standard requires GRE. Alos, you can see here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445
After some testing i've found some logging-Entries at the asa,
saying that it cannot found any nat-entries for the answer-packets.
So, i created an nat-exempt rule for this. Thos stops the messages,
but it doesn't work.
But now, i'v found the solution after some researching on the web in
this article:
http://www.breezy.ca/?q=node/316
specially interesting was this:
"For Squid to work with WCCP2 and the Cisco firewall, the Squid
server must be on a common subnet with the web client since the
proxied web client-server sessions cannot traverse the ASA. This is
curious and not particularly well documented anywhere. This is also
different than the Cisco IOS routers (which also support WCCP2)
where the caching server can be on a different subnet. One reason
this is true is that the ASA only supports proxying for packets that
arrive in (ie: inbound) on an interface."
Now i've created an internal interface for the server for
communicating with the clients and the firewall. It's not the
optimal solution, but it works now. Perhaps, it is interesting for
someone else.
Regards,
Tom
