🔗 Cisco ASA and Squid with WCCP2

🔗 Very important passage from the Cisco-Manual

“The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance.”

🔗 Cisco ASA

Bypass the Squid box from re-capture

 access-list wccp_redirect extended deny ip host $SQUID-IP any

Note: This shouldn’t be required, because the asa would build this rule itself, when adding the squid box.

… while capturing the local /24 network defined by “workstations”.

 access-list wccp_redirect extended permit tcp workstations 255.255.255.0 any eq www

Intercept everything not prevented by the bypass list:

 wccp web-cache redirect-list wccp_redirect password foo

 wccp interface internal web-cache redirect in

p.s.: you should deny other forwardings with iptables

🔗 Squid configuration for WCCP version 2

All the squid.conf options beginning with wccp2_* apply to WCCPv2 only

• wccp2_router
• wccp2_address
• wccp2_forwarding_method
• wccp2_return_method
• wccp2_assignment_method
• wccp2_service

🔗 Squid configuration

• $IP-OF-ROUTER is used below to represent the IP address of the router sending the WCCP traffic to Squid.

Squid-2.6 to Squid-3.0 require magic numbers…

http_port 3129 transparent
wccp2_router $IP-OF-ROUTER
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0 password=foo

• Squid-3.1 and later accept text names for the tunneling methods

  http_port 3129 intercept wccp2_router $IP-OF-ROUTER wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 password=foo

🔗 Squid box OS configuration

modprobe ip_gre
ip tunnel add wccp0 mode gre remote $ASA-EXT-IP local $SQUID-IP dev eth0

ifconfig wccp0 $SQUID-IP netmask 255.255.255.255 up

• disable rp_filter, or the packets will be silently discarded

  echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter

• enable ip-forwarding and redirect packets to squid

  echo 1 >/proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT –to-port 3129 iptables -t nat -A POSTROUTING -j MASQUERADE

---

⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.

Categories: ConfigExample

Navigation: Site Search, Site Pages, Categories, 🔼 go up