What is your network setup? What is the position of each device related to the other on the network? both of them on the same network? Eliezer On 22/04/2011 11:43, bmm-mailinglist wrote:
Hi all, I am a new Squid user. I like Squid's ease of setup and -use. Unfortunately, I've hit a snag. For the past week or so, I have been trying to get a transparent caching proxy going between our Cisco ASA 5510 firewall (with 8.3(2) software) and a fresh Squid 3 install on an Ubuntu 10.04 LTS (default squid3 package from Ubuntu repo). So far I have been unsuccesful. The caching proxy bit works just fine. If I manually point my browser to the Squid machine to use as a proxy, it works just as it should. I can't get the redirect working, though. Packets redirected by the ASA just seem to get dropped somewhere along the line. I have followed the directions stated in http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#WCCP_-_Web_Cache_Coordination_Protocol. This setup did not work. After trying anything I could think of myself (and not being an expert at this, that wasn't a whole lot), I've taken to the mailing list archives. There, I found this thread: http://www.squid-cache.org/mail-archive/squid-users/201103/0284.html, which is similar to my situation. I also followed the directions mentioned there, but unfortunately that did not solve my problem either. In any case, the situation right now is as follows: The ASA is set up for WCCP, seemingly correctly (although ASA documentation on WCCP is less than stellar). It has recognized the Squid cache, is receiving Squid's Here I Am packets and is returning I See Yous. According to the counter, it is also forwarding packets to Squid when I activate the rule. I've set a logging rule on the prerouting table in iptables. It shows packets are coming in. So far so good. I've also set a logging rule on the postrouting, output and forward tables, but nothing seems to be leaving the Squid machine, other than the hello packets to the ASA every 10 seconds. Setting log_access to either allow or deny also does not create any entries in the access.log file. It seems, therefore, that the packets never reach that stage. I'm kind of out of ideas at this point. Can someone point me in the right direction to start shooting at trouble again? Some relevant config: ASA wccp web-cache redirect-list proxy group-list wccp-acl password ***** wccp interface inside web-cache redirect in access-list proxy extended permit tcp 10.0.0.0 255.0.0.0 any eq www inactive access-list wccp-acl extended permit ip host 10.1.7.5 any Squid: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir ufs /var/squid/cache 184320 16 256 access_log /var/log/squid3/access.log squid wccp2_router 10.1.0.254 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service standard 0 password=squid wccp2_address 0.0.0.0 iptables: Chain PREROUTING (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `pre' REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `post' MASQUERADE all -- anywhere anywhere So again, any pointers would be most welcome. Should you need more config info, don't hesitate to ask. Thanks in advance. Regards, Bart
