hi , here i have two questions : i have toplogy below : <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4661995/f5vnD.jpg> as we see above on image ive posted the cisco wccp config , and im assuming config from squid is fine. now assume i have client x of ip 1.2.3.4 want to go to internet , and it is the only user in my topology that want to go to internet, so, my acls on router will be as : =================================== ip access-list ex xxx permit tcp host 1.2.3.4 any eq 80 ip access-list ex yyy permit tcp 80 any 1.2.3.4 ====================================== Question #1 im talking about the acl yyy i found that if i confoigured the acl yyy as : permit ip any 1.2.3.4 it will also let wccp with router and squid fine , but here i have question: the 1st acl of yyy says that only www traffic that passed in squid , will be return back to squid when it comes from internet. but the 2nd acl of yyy says that all other traffic will come back to squid , which in my idea not fine i mean that in the 2nd acl , the https , pop3 , ftp , etc >>>> will pass in squid when traffic come back from internet , because it was matched with acl yyy that has the service 90 that responsible of returning traffic from internet to squid . so , i find that www traffic will be redirected to squid when matched by service 80 and all other traffic of user 1.2.3.4 will pass in squid when it return back from internet when match by service 90 . my question here , i want a discussions about this point , am i right when i discussed above ?? if not plz clarify . ================================================================= Question # 2 sometimes i want some users to enter squid as squidguard , not for caching . and dont them cache any objects so , i try to let them match the service 80 , then they will be redirected to squid and be checked for squiduard and i configure cache_deny for them ." so them will not pull from squid " but i dont want them to be matched by service 90 that will pump them in squid when they come from internet. so , what i do is , i just modify the cisco acls as below , and assume we are on the same example of ip 1.2.3.4 : ip access-list extended xxx permit tcp host 1.2.3.4 any eq 80 ip access-list extended yyy deny tcp 80 any 1.2.3.4 as we see, i denied the traffic of serive 90 to be redirected from internet into squid , but .............. if i do that , the client 1.2.3.4 no longer can access internet ????!!!!!!! and very small access.log in squid " not sure from this point about access.log as i remember " i dont know whey when i block client x from serivce 90 and allow him in service 80 it cant access internet , ????? do i miss something about tproxy and wccp at this point ??? but again , if i denied him from service 80 acl and let him being matched from service 90 acl , the client can access internet but not redirected in squid . wish to clarify , and wish to know how let users only being checked by squidguard & not cache any object and not pull any object from squid. thanks alot . with my best regards ----- Mr.Ahmad -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Question-in-WCCP-with-tproxy-with-cisco-ACLS-Optimization-tp4661995.html Sent from the Squid - Users mailing list archive at Nabble.com.