I switched from WCCP to policy based routing, and networks directly connected to the Cisco router started working perfectly. I did run into a small problem with clients in subnets that were not directly connected to the router, but I was able to find a satisfactory solution for that as well, while I search for a more permanent one. Honestly - I had no idea where to even begin when it came to addressing this problem, or what to search for online - and now, everything works great. Thank you for the helpful advice Amos Tal On Sun, Jul 15, 2012 at 7:59 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 16.07.2012 12:50, Jack Black wrote: >> >> Hi. >> >> I am a network technician, working for a small company that is based >> in the middle of nowhere in a camp up North, and we provide internet >> to nearly 1000 clients. The managers of the camp have asked us to >> implement a system where users will be directed to a page that has >> some important, camp related information (safety policies, upcoming >> events, fire warnings, etc.). Using squid and the ext_session_acl >> helper, along with our Cisco router's WCCP, and some very helpful >> advice from Amos, I have created such a system, and have been testing >> it for the past few hours. While the test has been fairly short so >> far, and has not been under full load (at peak times), it seems to be >> working perfectly. The only thing stopping it from working at full >> capacity now is the fact that our network is divided into multiple >> subnets, and according to some forum posts I have read, the squid >> proxy server and the clients have to be on the same subnet when using >> WCCP and a GRE tunnel. I have tried to use ACLs on the Cisco router to >> direct clients from other subnets to the squid proxy, but as the posts >> suggested, those clients fail to connect. An image depicting the setup >> can be found here: >> >> http://dxgameunit.webs.com/subnet%20problem.png >> >> Does anyone know if it is even theoretically possibly to have the >> squid proxy and the clients in different subnets in this case? What >> would that require? Is that something that needs to be addressed >> through squid, the cisco router, or the iptables rules on the squid >> proxy's OS? >> >> Tal > > > > The issue as you noted in earlier email is not Squid, nor anything on its > machine. The ASA and in particular the use of WCCP and GRE it provides is > directly causing it. > > To resolve your problems you are therefore required to drop WCCP and GRE. > Moving instead to true policy routing to pass packets to the Squid machine. > > The routing topology in the ASA needs to move packets like so: > if arriving from the client interface -> gateway via Squid > if arriving from the Internet interface -> gateway via Squid > else -> gateway per the packet destination IP. > > Amos >
