WCCP with https redirection on ASA

Unanswered Question
May 18th, 2010

Hi All,

I have tried the wccp http redirection on firewall with squid server and it runs ok then i have tried the wccp https redirection on firewall, its not working. the request goes straight through the firewall. Is the wccp supports https redirection or is only working for http only... your answer will be appriciated.

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
pkampana Tue, 05/18/2010 - 09:50

It should work with https also.

Make sure your wccp service is configured for both port 80 and 443, or else the ASA will not redirect https.

The ASA will talk to the engine and agree on the ports supported on the service and then redirect.

I hope it helps.

PK

mrbzumrbzu Wed, 05/19/2010 - 01:07

Hi PK,

thanks for reply. Is i have to use the dynamic service numbers? dynamic service numbers are from 0-254 so 443 doesn't in the range

I have created access list for redirection for https traffic and applied it on webcache but it didn't work and firewall passes this to the internet. Please help me to understand the service numbers and how to implement them. it will be very grateful.

Patricio,

PK is right, routing on your squid box will solve the problem. add the router (firewall outside interface) pointing to the the firewall inside interface IP.

Regards

mrbzumrbzu Wed, 05/19/2010 - 01:31

Hi PK,

I have found that service group 70 is for https so i have configured accordingly but its not working and not seeing any hits as well


Global WCCP information:
    Router information:
Router Identifier:                   193.193.1.130

Protocol Version:                    2.0

    Service Identifier: web-cache
Number of Cache Engines:             1
Number of routers:                   1
Total Packets Redirected:            531
Redirect access-list:                WCCP-http
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                   WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

   Service Identifier: 5
Number of Cache Engines:             0
Number of routers:                   0
Total Packets Redirected:            0
Redirect access-list:                WCCP-ftp
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                    WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

    Service Identifier: 70
Number of Cache Engines:             0
Number of routers:                   0
Total Packets Redirected:            0
Redirect access-list:                WCCP-https
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                    WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

mrbzumrbzu Wed, 05/19/2010 - 03:33

Hi,

After making few changes on squid for WCCP, the ASA now redirecting that traffic to squid but squid is giving error message unsupported type. will do some more investigation on this.. do any body know what specific changes are required on squid to make this working. squid is running in transparent mode.

regards

mrbzumrbzu Mon, 05/24/2010 - 08:43

Hi ,

Is any body know that WCCP works with squid for https traffic? I am finding difficulty in working with them and failed to have working setup. neeither i have found any thing on internet for this....

Regards

brquinn Mon, 05/24/2010 - 12:55

Greetings,

According to the main squid page, http is supported: "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and  more."

http://www.squid-cache.org/

There are a lot of good configuration examples on this site as well, but their ASA config example is not ideal.

http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2

The config example on the page linked above uses a redirect-list ACL with the www port defined. This is incorrect  because the ASA decides what services are sent to the web-cache server based on what is negotiated for that service with the server. This means two things. 1) You should define your redirect-list ACL with all IP traffic and let the negotiation with the squid wccp server. 2) you need a sepearate redirect service number for each service type; http, https, ftp, etc.

Corrected config:

! Configure hosts to be redirected, exempt the squid server

access-list wccp_redirect extended deny ip host $SQUID-IP any
access-list wccp_redirect extended permit ip WORKSTATIONS 255.255.255.0 any

! Define the default rule for http traffic
wccp web-cache redirect-list wccp_redirect password foo

! Additional rule for https traffic where 70 corresponds with the service # on the squid server

wccp 70 redirect-list wccp_redirect password foo

! Apply both rules to the inside interface

wccp interface inside web-cache redirect in
wccp interface inside  70 redirect in

I hope this helps.

Thanks,

Brendan

teater Fri, 06/04/2010 - 13:28

Would this work for VPN users terminating in the ASA, either as clients or LAN-LAN tunnels?  It does appear it wouldn't since the VPN users would not be on the same interface as the squid box.

contik@biker.ru Tue, 06/08/2010 - 20:50

I have a PIX 515.

I did exactly that what you have written, but https-traffic still coming without proxy directly through PIX to the internet.

With HTTP-traffic all OK. I see it on my squid proxy.

If i set proxy for HTTPS in InternetExplorer manually - https going through squid.

Is the PIX able to route HTTPS/FTP via WCCP ?

Thank you!

pkampana Wed, 06/09/2010 - 05:33

What version is the PXI running?

HTTP should work as long as the squid service supports https.

PK

contik@biker.ru Wed, 06/09/2010 - 06:18

oops, sorry for incomplete information about PIX

PIX515E with OS PIX 8.04

with HTTP here is no problem! Everything is going through GRE-tunnel on SQUID proxy.

But HTTPS or FTP (for ex.) going DIRECTLY through PIX, without any proxy and when look on tcpdump there is no any activity on squid server, when i going to https-sites

=(

mbilgrav Wed, 11/02/2011 - 12:39

I ran into same issue - i.e. Asa did not redirect 443 traffic.

What did you do on the squid inorder to tell asa that 443is working ??

priceminister_e... Fri, 06/29/2012 - 09:34

Hello

With that: http AND https are redirect to squid

http_port 192.168.255.253:3129 intercept

wccp2_router 192.168.255.254

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=XXXXX

wccp2_service dynamic 70 password=XXXXX

wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

But I have SSL error ....

I don't see "CONNECT" request on squid log

If I set https_proxy to squid on my client, it's OK, but not in WCCP/redirect mode

I have Squid for Debian 6

pkampana Fri, 06/04/2010 - 14:49

You are right, it will not work, for the reason that you mentioned.

PK

teater Sat, 06/05/2010 - 11:13

I will be looking into using the VPN Tunnel Default Gateway feature as discussed here: https://cisco-support.hosted.jivesoftware.com/thread/2011160

I should be able to set an internal layer 3 switch as the Tunne Default Gateway and have all VPN traffic go inside then be routed back out and subjected to the web filter (either inline or WCCP).  I'll post my result in a few weeks.

pkampana Wed, 06/09/2010 - 06:32

It should work fine.

Make sure you squid service that the PIX is using has https and ftp ports in it.

PK

contik@biker.ru Wed, 06/09/2010 - 07:01

ok, here is what PIX respond:

pix# show wccp

Global WCCP information:
    Router information:
        Router Identifier:                   192.168.1.1
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            1890789
        Redirect access-list:                wccp_redirect
        Total Connections Denied Redirect:   1
        Total Packets Unassigned:            68
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

    Service Identifier: 70
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp_redirect
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

and some strings from squid.conf:

wccp2_router 123.45.67.89

wccp2_service standard 0
wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source priority=240 port=443

brquinn Wed, 06/09/2010 - 07:17

and some strings from squid.conf:

wccp2_router 123.45.67.89

wccp2_service standard 0
wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source priority=240 port=443

The ASA is recognizing the squid server for service 70, but not redirecting anything. I'm not sure if this is the only problem, but I do see one mistake in your squid config.

The Format is:

  wccp2_service_info protocol= flags=,..

        priority= ports=,..

You are missing the "S" in "ports=443".

Thanks,

Brendan

pkampana Wed, 06/09/2010 - 07:30

Is the https hitting the web-cache service redirect ACL?

If it is matching on this one that it will not move to the service 70.

PK

Actions

Login or Register to take actions

This Discussion

Posted May 18, 2010 at 4:07 AM
Stats:
Replies:24 Avg. Rating:
Views:15879 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446