Cisco ASA and Squid with WCCP2
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Very important passage from the Cisco-Manual
"The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance."
Bypass the Squid box from re-capture
access-list wccp_redirect extended deny ip host $SQUID-IP any
Note: This shouldn't be required, because the asa would build this rule itself, when adding the squid box.
... while capturing the local /24 network defined by "workstations".
access-list wccp_redirect extended permit tcp workstations 255.255.255.0 any eq www
Intercept everything not prevented by the bypass list:
wccp web-cache redirect-list wccp_redirect password foo wccp interface internal web-cache redirect in
p.s.: you should deny other forwardings with iptables
Squid configuration for WCCP version 2
All the squid.conf options beginning with wccp2_* apply to WCCPv2 only
$IP-OF-ROUTER is used below to represent the IP address of the router sending the WCCP traffic to Squid.
http_port 3129 transparent wccp2_router $IP-OF-ROUTER wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 password=foo
Squid-3.1 and later accept text names for the tunneling methods
http_port 3129 intercept wccp2_router $IP-OF-ROUTER wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 password=foo
Squid box OS configuration
modprobe ip_gre ip tunnel add wccp0 mode gre remote $ASA-EXT-IP local $SQUID-IP dev eth0 ifconfig wccp0 $SQUID-IP netmask 255.255.255.255 up
- disable rp_filter, or the packets will be silently discarded
echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter
- enable ip-forwarding and redirect packets to squid
echo 1 >/proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3129 iptables -t nat -A POSTROUTING -j MASQUERADE