Re: AW: [squid-users] Squid - WCCP and ASA

Akos,

You are right ASA does not support any GRE tunnels. But from what I
have read by googling "squid asa wccp" is that tunnel is GRE on the
proxy server side where as ASA is WCCP. Like I mentioned that I do
see ASA REDIRECTING the packets . I see the redirected packets
appearing on the proxy server but then I don't get any response back.
I think there could be some issue with iptables rule maybe.

-Parvinder Bhasin

On Jun 17, 2009, at 1:38 AM, Daniel, Akos wrote:

>
> Hi,
>
> ASA does not support any IPoverIP such as GRE. Which SW Version you
> have on ASA?
> Once I tried WCCP and collected my info here:
> http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.html
>
> Regards,
> Akos
>
> -----Ursprüngliche Nachricht-----
> Von: Parvinder Bhasin [mailto:parvinder.bhasin_at_gmail.com]
> Gesendet: Mittwoch, 17. Juni 2009 08:06
> An: Amos Jeffries
> Cc: squid-users_at_squid-cache.org
> Betreff: Re: [squid-users] Squid - WCCP and ASA
>
> Amos,
>
> The tunnel is actually between the ASA and WCCP enabled squid. All
> the examples on squid-cache site as well as googling this issue points
> to creating a tunnel like this. Are you saying I don't need
> tunnel??? external ip??? the squid box has an internal interface and
> is not connected to the internet directly. The squid box itself goes
> out the ASA and fetches the pages. Basically its NATed.
>
> -Parvinder Bhasin
>
> On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote:
>
>> On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin
>> <parvinder.bhasin_at_gmail.com> wrote:
>>> I have setup of squid ..which was compiled with --enable-delay-pools
>>> option. Works really well but without WCCP.
>>> I enabled WCCP support in the squid config and also enabled wccp
>>> support on my ASA. Setup GRE tunnel etc.
>>> For my testing purpose I am only having ONE client IP go through
>>> WCCP. The problem is I am able to see that client on the GRE1
>>> interface (the requests) of the proxy server but that client is not
>>> getting anything back reply back. Do I need anything in iptables to
>>> allow etc??? do I need to compile with some transparent support??
>>> if
>>> so which one would I use for ASA?
>>>
>>> Any help is highly appreciated.
>>>
>>>
>>> Here is part of my config:
>>>
>>> http_port 3128 transparent
>>>
>>> wccp2_router 192.168.100.250
>>> wccp_version 4
>>> wccp2_forwarding_method 1
>>> wccp2_return_method 1
>>> wccp2_service standard 0
>>>
>>> Additionally here is what I did to setup tunnel:
>>>
>>> modprobe ip_gre
>>> iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0
>>> ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up
>>>
>>
>> IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be
>> usable for
>> traffic internal to the box.
>> If WCCP is going on a tunnel it will likely need an externally
>> visible IP
>> for the router to send to.
>>
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
>>> echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
>>> echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
>>> echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>> echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter
>>>
>>> iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j
>>> REDIRECT --to-port
>>> 3128
>>>
>>> I do see the RX counter going up but not the TX on gre1:
>>>
>>> gre1 Link encap:UNSPEC HWaddr C0-A8-64-CF-B7-BF-C8-
>>> C2-00-00-00-00-00-00-00-00
>>> inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.0
>>> UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
>>> RX packets:1559 errors:0 dropped:0 overruns:0 frame:0
>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:0
>>> RX bytes:83432 (81.4 KiB) TX bytes:0 (0.0 b)
>>>
>>> Here is tcpdump output:
>>>
>>> [root_at_squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and
>>> port
>>> not ssh
>>> tcpdump: WARNING: arptype 778 not supported by libpcap - falling
>>> back
>>> to cooked socket
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>> decode
>>> listening on gre1, link-type LINUX_SLL (Linux cooked), capture size
>>> 96
>>> bytes
>>> 14:13:37.615862 IP 192.168.100.175.52257 > cf-in-
>>> f99.google.com.http:
>>> S 3689381709:3689381709(0) win 65535 <mss 1460,sackOK,eol>
>>> 14:13:45.524999 IP 192.168.100.175.52256 >
>>> bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535
>>> <mss 1460,sackOK,eol>
>>> 14:13:45.525001 IP 192.168.100.175.52255 >
>>> bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535
>>> <mss 1460,sackOK,eol>
>>> 14:13:45.525002 IP 192.168.100.175.52254 >
>>> bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535
>>> <mss 1460,sackOK,eol>
>>> 14:13:45.525003 IP 192.168.100.175.52253 >
>>> bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535
>>> <mss 1460,sackOK,eol>
>>> 14:13:47.427509 IP 192.168.100.175.52252 >
>>> mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win
>>> 65535
>>> <mss 1460,sackOK,eol>
>>> 14:13:47.886251 IP 192.168.100.175.52259 >
>>> f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535
>>> <mss 1460,nop,wscale 3,nop,nop,timestamp 322113293 0,sackOK,eol>
>>> 14:13:48.127001 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
>>> 357937093:357937093(0) win 65535 <mss 1460,nop,wscale
>>> 3,nop,nop,timestamp 322113295 0,sackOK,eol>
>>> 14:13:48.829652 IP 192.168.100.175.52259 >
>>> f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535
>>> <mss 1460,nop,wscale 3,nop,nop,timestamp 322113302 0,sackOK,eol>
>>> 14:13:49.029600 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
>>> 357937093:357937093(0) win 65535 <mss 1460,nop,wscale
>>> 3,nop,nop,timestamp 322113304 0,sackOK,eol>
>>> 14:13:49.820922 IP 192.168.100.175.52259 >
>>> f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535
>>> <mss 1460,nop,wscale 3,nop,nop,timestamp 322113312 0,sackOK,eol>
>>> 14:13:50.030914 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
>>> 357937093:357937093(0) win 65535 <mss 1460,nop,wscale
>>> 3,nop,nop,timestamp 322113314 0,sackOK,eol>
>
Received on Wed Jun 17 2009 - 09:48:56 MDT