On 22/05/11 09:57, Tux Mason wrote:
Hello,
Am having trouble getting WCCP2 to work with a Cisco 1800 series router.
The problem I have noticed is traffic sent to the squid box with a
private IP. The output of netstat:
netstat -ntlpua
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 SQUID_PUBLIC_IP:3128 0.0.0.0:*
LISTEN 17232/(squid)
tcp 0 0 SQUID_PUBLIC_IP:3128 10.10.10.2:59504
SYN_RECV -
tcp 0 0 SQUID_PUBLIC_IP:3128 10.10.10.2:59505
SYN_RECV -
tcp 0 0 SQUID_PUBLIC_IP:3128 10.10.10.2:51024
SYN_RECV -
udp 0 0 SQUID_PUBLIC_IP:2048 ROUTER_PUBLIC_IP:2048
ESTABLISHED 17232/(squid)
Below are my configurations
Router:
!
ip wccp web-cache redirect-list 120 group-list 2
!
interface FastEthernet0/0
description LAN Gateway
ip address 10.10.10.1 255.255.255.0
ip wccp web-cache redirect in
...
!
interface FastEthernet0/1
description Internet Uplink
ip address<ROUTER_PUBLIC_IP>
!
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 permit<SQUID_PUBLIC_IP>
access-list 120 deny ip host<SQUID_PUBLIC_IP> any
access-list 120 permit tcp 10.10.10.0 0.0.0.255 any eq www
access-list 120 deny ip any any
!
Squid Box:
----------------------------- /etc/squid/squid.conf --------
http_port 41.221.49.249:3128 intercept
wccp2_router<ROUTER_PUBLIC_IP>
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
wccp_version 2
...
----------------------------End squid.conf ------------------
---------------------------Network settings ----------------
/sbin/ip link set wccp0 mtu 1476
/sbin/ip tunnel add wccp0 mode gre remote<ROUTER_IP_PUBLIC_IP> local
<SQUID_PUBLIC_IP> eth0
/sbin/ip addr add<SQUID_PUBLIC_IP> dev wccp0
/sbin/ip link set wccp0 up
/sbin/sysctl -w net.ipv4.conf.wccp0.rp_filter=0
/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0
----------------------------End network -----------------------------
How can I get the router to send traffic using the public IP instead
of the private IP?
Looks to be perfectly working.
You seem to mistake how WCCP works. It is a tunnel, where the HTTP
packets entering the Cisco router get sent *unchanged* to the Squid box
for handling. Exactly as if you had plugged the Squid box in as a second
router or bridge between the Cisco and clients.
Don't worrying about it. The global connections will go back to the
Cisco with the Squid box IP and then go through whatever border NAT you
have in place. The private client IP will never touch the global
Internet directly.
As it stands you can track the internal LAN PC behaviour directly from
the Squid logs without having to record and lookup NAT conversions after
the fact.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
