On Tue, 29 Nov 2011 17:35:20 +0100, Leonardo wrote:
Dear all,
We have a Cisco ASA firewall between our internal network and the
Internet. Our Squid transparent proxy (v3.1.7) is just behind the
firewall.
Our problem concerns IP address translation from private to public.
Specifically, we would like that clients go out on the Web with a
public IP address which depends on the subnet the client is in.
However, we can't differentiate the addresses as the Cisco ASA sees
only the IP private address of the Squid as originator of all HTTP
requests.
That would be because it is the originator of those TCP connections.
I haven't set the directive forwarded_for in my Squid config, which
should mean that, by default, the real originator is passed in a
X-Forwarded-For header.
I'd like to know if there is something else that can be done on the
Squid side, or if now I need to work solely on the config of the
Cisco
ASA (as I believe).
What you are asking about is TPROXY. Which makes Squid appear to be the
client. Complicating your ASA configuration as it attempts to figure out
which traffic goes to Squid and which directly to the clients.
There are several alternative approaches you will want to consider
which avoid the complexity and troubles TPROXY IP spoofing adds to the
network.
First among these is tcp_outgoing_address to perform the outgoing
address selection in Squid based on src ACL for each subnet. You can
emit from Squid either the public IP for that client subnet (so the ASA
does not have to change anything). Or an IP reserved for Squid within
each subnet and leave the ASA config as-is.
Secondly you can use tcp_outgoing_tos on the same ACL criteria as
above. With a TOS value per subnet for the ASA to perform routing and
NAT decisions on. This does mean some changes to ASA to work with the
TOS.
Amos
