ASA-WCCP-SQUID

rodrigo.maureira · ‎11-19-2008

Hi, I'm trying to get WCCP working between ASA and SQUID.

Everything seems to be well done, both ASA configs and SQUID configs but my clients are no able to get http internet access through ASA-WCCP-SQUID, instead of internet browsing my clients are getting an ICMP port unreachable message from SQUID.

Please let me to know if you find something unusual or if you would like to share some useful information about it.

The following lines are my configs a show commands output:

WCCP ASA CONFIG

!

wccp web-cache redirect-list proxy-traffic group-list proxy-servers

wccp interface inside web-cache redirect in

!

access-list proxy-traffic extended permit tcp object-group proxy-users any object-group proxy-services

!

access-list proxy-servers extended permit ip host 172.30.0.10 any

!

object-group network proxy-users

network-object host 172.30.0.110

network-object host 172.30.0.180

!

object-group service proxy-services tcp

port-object eq www

!

WCCP SHOW COMMANDS

fwsnseba# sh wccp

Global WCCP information:

Router information:

Router Identifier: 200.1.1.1

Protocol Version: 2.0

Service Identifier: web-cache

Number of Cache Engines: 1

Number of routers: 1

Total Packets Redirected: 14335

Redirect access-list: proxy-traffic

Total Connections Denied Redirect: 0

Total Packets Unassigned: 87

Group access-list: proxy-servers

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total Bypassed Packets Received: 0

fwsnseba# sh wccp interfaces detail

WCCP interface configuration details:

GigabitEthernet0/1

Output services: 0

Input services: 1

Static: Web-cache

Dynamic: None

Mcast services: 0

Exclude In: FALSE

fwsnseba# sh wccp web-cache detail

WCCP Cache-Engine information:

Web Cache ID: 172.30.0.10

Protocol Version: 2.0

State: Usable

Initial Hash Info: 00000000000000000000000000000000

00000000000000000000000000000000

Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Hash Allotment: 256 (100.00%)

Packets Redirected: 14335

Connect Time: 01:43:41

fwsnseba#

WCCP ACLs MATCH

fwsnseba# sh access-list proxy-traffic

access-list proxy-traffic; 2 elements

access-list proxy-traffic line 1 extended permit tcp object-group proxy-users any object-group proxy-services 0xd2d97eca

access-list proxy-traffic line 1 extended permit tcp host 172.30.0.110 any eq www (hitcnt=4020) 0x8bbf4c3b

access-list proxy-traffic line 1 extended permit tcp host 172.30.0.180 any eq www (hitcnt=9889) 0xa0dab691

!

fwsnseba# sh access-list proxy-servers

access-list proxy-servers; 1 elements

access-list proxy-servers line 1 extended permit ip host 172.30.0.10 any (hitcnt=20277) 0x0289453e

fwsnseba#

ASA IP ADDRESSING

fwsnseba# sh ip address

Current IP Addresses:

Interface Name IP address Subnet mask Method

GigabitEthernet0/0 outside 200.1.1.1 255.255.255.248 CONFIG

GigabitEthernet0/1 inside 172.30.0.120 255.255.255.0 CONFIG

WCCP SQUID CONFIG

[root@srv-squidwccp ~]# grep ^wccp /etc/squid/squid.conf

wccp2_router 172.30.0.120

wccp_version 4

wccp2_forwarding_method 1

wccp2_return_method 1

wccp2_service standard 0

[root@srv-squidwccp ~]# grep ^http_port /etc/squid/squid.conf

http_port 172.30.0.10:3128 transparent

http_port 172.30.0.10:80 transparent

CentOS5 Kernel 2.6.18-92.1.17.el5

The IPTables is turned off.

drolemc · ‎11-26-2008

Web filtering would block traffic between the Firewall and the Squid, perhaps it is not, perhaps it is blocking the traffic from the Squid to the client which is actually port 80.

rodrigo.maureira · ‎11-27-2008

Thanks for your help but i don't understand your comment, please could you explain it in another way... Thanks once again.