On 18/05/11 01:50, bmm-mailinglist wrote:
> A little kick here if you don't mind, as there were no more replies so far.
>
> I have unfortunately not been abe to get my setup to work. Any suggestions, as before, are welcome.
>
> Regards,
>
> Bart
>
>>>> "bmm-mailinglist" 26-4-2011 9:31>>>
> I'm sorry for the delay; I had a bad case of Easter holidays.
>
> The network setup is as such; the ASA is in the network management VLAN, the Squid proxy is in the server VLAN.
> The VLANs are routed on a Cisco 3750, on the ASA's inside interface.
> Is this a problem? I tried looking for information on that earlier, but could not find any.
>
> Mr. Ritter, I assume you meant to say that the ASA can only deal with switched networks in doing WCCP? That would explain why it wouldn't work.
> It would also be most inconvenient and strange for Cisco to make it that way, as the ASA is really just a router with more focus on security.
>
Cisco "switches" only do L2 switching. Cisco "routers" only do GRE
tunnel packet routing. Some of their products run the fine line between
the two states. Either way, Squid currently still needs to be configured
explicitly with one or the other to respond correctly.
This covers what we know of ASA:
http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2
It seems to match your config details.
I note your iptables PREROUTING rule does not specify which NIC the
packets are to be intercepted from. That is okay, but you will need to
add a "RETURN" rule before it to exclude packets generated by Squid form
being looped back in.
This forwarding loop may be the problem. Things will not show up in
access.log for a looong time if loops are allowed to happen. Make sure
that the directive "via" is turned ON to catch them.
> In any case, thanks for the replies.
>
> Regards,
>
> Bart
>
>
>>>> Eliezer Croitoru 22-4-2011 15:31>>>
> What is your network setup?
>
> What is the position of each device related to the other on the network?
>
> both of them on the same network?
>
>
> Eliezer
>
>
>
>
> On 22/04/2011 11:43, bmm-mailinglist wrote:
>
>> Hi all,
>>
>> I am a new Squid user. I like Squid's ease of setup and -use. Unfortunately, I've hit a snag.
>> For the past week or so, I have been trying to get a transparent caching proxy going between our Cisco ASA 5510 firewall (with 8.3(2) software) and a fresh Squid 3 install on an Ubuntu 10.04 LTS (default squid3 package from Ubuntu repo).
>>
>> So far I have been unsuccesful.
>> The caching proxy bit works just fine. If I manually point my browser to the Squid machine to use as a proxy, it works just as it should.
>> I can't get the redirect working, though. Packets redirected by the ASA just seem to get dropped somewhere along the line.
>> I have followed the directions stated in http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#WCCP_-_Web_Cache_Coordination_Protocol. This setup did not work.
>> After trying anything I could think of myself (and not being an expert at this, that wasn't a whole lot), I've taken to the mailing list archives.
>> There, I found this thread: http://www.squid-cache.org/mail-archive/squid-users/201103/0284.html, which is similar to my situation.
>> I also followed the directions mentioned there, but unfortunately that did not solve my problem either.
>>
>> In any case, the situation right now is as follows:
>>
>> The ASA is set up for WCCP, seemingly correctly (although ASA documentation on WCCP is less than stellar).
>> It has recognized the Squid cache, is receiving Squid's Here I Am packets and is returning I See Yous.
>> According to the counter, it is also forwarding packets to Squid when I activate the rule.
>>
>> I've set a logging rule on the prerouting table in iptables. It shows packets are coming in. So far so good.
>> I've also set a logging rule on the postrouting, output and forward tables, but nothing seems to be leaving the Squid machine, other than the hello packets to the ASA every 10 seconds.
>> Setting log_access to either allow or deny also does not create any entries in the access.log file. It seems, therefore, that the packets never reach that stage.
>>
>> I'm kind of out of ideas at this point. Can someone point me in the right direction to start shooting at trouble again?
>>
>> Some relevant config:
>>
>> ASA
>>
>> wccp web-cache redirect-list proxy group-list wccp-acl password *****
>> wccp interface inside web-cache redirect in
>>
>> access-list proxy extended permit tcp 10.0.0.0 255.0.0.0 any eq www inactive
>> access-list wccp-acl extended permit ip host 10.1.7.5 any
>>
>>
>> Squid:
>>
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet
>> http_access allow localhost
>> http_access deny all
>> icp_access deny all
>> htcp_access deny all
>> http_port 3128 transparent
>> hierarchy_stoplist cgi-bin ?
>> cache_dir ufs /var/squid/cache 184320 16 256
>> access_log /var/log/squid3/access.log squid
>>
>> wccp2_router 10.1.0.254
>> wccp2_forwarding_method 1
>> wccp2_return_method 1
>> wccp2_assignment_method 1
>> wccp2_service standard 0 password=squid
>> wccp2_address 0.0.0.0
>>
>>
>> iptables:
>>
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> LOG all -- anywhere anywhere LOG level warning prefix `pre'
>> REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 3128
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target prot opt source destination
>> LOG all -- anywhere anywhere LOG level warning prefix `post'
>> MASQUERADE all -- anywhere anywhere
>>
>>
>> So again, any pointers would be most welcome. Should you need more config info, don't hesitate to ask.
>> Thanks in advance.
>>
>> Regards,
>>
>> Bart
>>
>
>
>
>
>
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1Received on Wed May 25 2011 - 09:14:41 MDT
This archive was generated by hypermail 2.2.0 : Wed May 25 2011 - 12:00:03 MDT