On Mon, 14 Mar 2011 20:25:24 +0800, mrito@xxxxxxxxxxxxxxxxxxxxxxx
wrote:
hi List,
I'm trying to setup a Cisco ASA 5510 & squid 3.0 WCCP and already
followed
some sources on the website procedures but client browsing still does
not
work. I can ping the public DNS of the website were trying to access
via
client PC but the problem is they cannot connect when using the
browser.
ICMP protocol used by ping is not sent over the tunnnel hops. So ping
is meaningless when WCCP and similar diversions are involved.
We've created a GRE tunnel on the Squid box (running Linux):
# iptunnel add gre2 mode gre remote 172.16.9.11 local 172.16.9.14 dev
eth0
# ifconfig gre2 127.0.0.2 up
(where 172.16.9.11 is the internal interface of our ASA and
172.16.9.14 is
the IP of our squid proxy server)
So far so good (assuming the ASA likes those IPs too).
Then we've set up iptables to redirect port 80 to our proxy on port
8080:
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
You need a back-path NAT to make it symmetric. The easy way is
MASQUERADE in the POSTROUTING chain.
Maybe rp_filter and forwarding as well.
http://wiki.squid-cache.org/Features/Wccp2#Squid_box_OS_configuration
Our Squid 2.7.STABLE3 config file contains:
http_port 172.16.9.14:8080 transparent
wccp2_router 172.16.9.11
We can tell that WCCP connects because in the ASA we have:
ALTVPN# sh wccp
Global WCCP information:
Router information:
Router Identifier: 172.16.18.1
Here we are, primary router identifier. By mutual agreement of WCCP
protocol just to confuse, this indicates the likely ID value for
wccp2_router.
Try:
wccp2_router 172.16.18.1
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 0
When Squid starts it sends a HERE_I_AM packet to the $wccp2_router.
That packet seems not to be getting through OR not being accepted by
the ASA.
Try the above alternative IP. If that fails it maybe worth trying every
other IP the router has.
Number of routers: 0
Total Packets Redirected: 5595
Redirect access-list: -none-
Total Connections Denied Redirect: 0
Total Packets Unassigned: 41
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
However, clients are getting timeouts when trying to browse the
internet.
In the ASA logs, I'm seeing:
Denied ICMP type=3, code=3 from PROXY on interface inside
No matching connection for ICMP error message: icmp src inside:PROXY
dst
identity: (type 3, code 3) on inside interface.
Interesting. I was of the understanding that WCCP is supposed to
fail-open so clients have something equivalent to always-up service.
Please see also below running config we have on our Cisco ASA 5510
Router:
dns-guard
!
interface Ethernet0/0
nameif internet
security-level 0
ip address 122.3.237.69 255.255.255.240
ospf cost 10
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 172.16.9.11 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.10.10 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
description Connection to Proxy Server
nameif LAN-TEST
security-level 0
ip address 172.16.18.1 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
ALTVPN# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 122.3.237.65 to network 0.0.0.0
C 172.16.9.0 255.255.255.0 is directly connected, LAN
C 122.3.237.64 255.255.255.240 is directly connected, internet
S* 0.0.0.0 0.0.0.0 [1/0] via 122.3.237.65, internet
<snip>
Amos
