Search squid archive

Re: WCCP, Cisco ASA and assymetric path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 9/07/2012 8:52 p.m., Abdessamad BARAKAT wrote:

Hi,


I try to setup squid on wccp redirection with a Cisco ASA firewall:

- squid :

Squid Cache: Version 3.1.20

configure options:   --enable-ltdl-convenience

- CIsco ASA 8.2.2


My problem is with a assymettric path, the redirect was made by the
ASA and the squid receive the SYN packet on the GRE interface but
reply (SYN,ACK) on the ethernet interface.
Why is that a problem? The packets are going back to the router, which should be sending them to the clients regardless of the source. 




So I see on some post , I need to "masquerade" the traffic to force
the return path on the GRE, I have tried this but without effect , I
can see the rules are matched:
Only if you are NATing them to use a different source address. It does not determine the machine outerface. 


Chain PREROUTING (policy ACCEPT 2656 packets, 317K bytes)

  pkts bytes target     prot opt in     out     source
destination

  2802  135K REDIRECT   tcp  --  wccp0  *       0.0.0.0/0
0.0.0.0/0      tcp dpt:80 redir ports 3139


Chain POSTROUTING (policy ACCEPT 8582 packets, 562K bytes)

  pkts bytes target     prot opt in     out     source
destination

28516 1866K MASQUERADE  all  --  *      *       0.0.0.0/0
0.0.0.0/0
Makes all packets from the proxy appear to have come from the WAN IP on that interface. 




I found this  post
(http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/msg64899.html),
where "tom" says with a Cisco ASA, you need to have the proxy server
also on the clients LAN... I tried this and I can see it's works with
this rule but for me it's  not a usuable topology


It is not required. Just an easier way to plug the network together.




Anyone have a idea for make the redirection working where the clients
and the proxy aren't on the same LAN
All you have to do is make sure the router handling the packets back *to* the clients knows where to send them. Check your router rules are accepting packets in through the eth* where Squid is plugged which are destined to the clients OR to the Internet, Squid will send both back to the router. 

(I can't help you on the particulars sorry).

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux