12-21-2010 05:29 AM - edited 03-11-2019 12:25 PM
Hi,
Right now, in my network there is no proxy server and all users go straight through the ASA to access internet. I would like to put a squid with dansguardian (for web filtering). Can someone guide me the steps in getting all http and https traffic from ASA go via my squid? Any help greatly appreciated.
Thanks,
Ribin
Solved! Go to Solution.
01-05-2011 03:02 AM
Hey Ribin,
Use route-map to route port 80 (internet) traffic to Squid Proxy Server. Also you need to configure IPtables on squid accordingly (in case of transparent Proxy) Use below configuration on your cisco ASA (i.e. on your gateway). Check whether route-map command is available on your ASA.
access-list 111 deny tcp any any neq www (create access list for port 80 traffic)
access-list 111 deny tcp host 192.168.100.1 any (192.168.100.1 - squid proxy)
access-list 111 permit tcp any any
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop 192.168.100.1 (forward all port 80 traffic to squid- 192.168.100.1)
Cheers!!
12-21-2010 06:30 AM
The ASA can only redirect HTTP/HTTPs traffic to a websense or secure computing smartfilter (owned by McAfee). I had a client that used squid for a proxy and they used a GPO or script to force a browser to use it.
12-21-2010 06:54 AM
I certainly believe that we can redirect traffic via squid. I have seen some posts which does this using wccp.
My current config is below:
access-list wccp-servers permit ip host 192.168.40.201 any
access-list wccp-traffic permit ip 192.168.40.0 255.255.255.0 any
wccp web-cache group-list wccp-servers redirect-list wccp-traffic
wccp interface Management web-cache redirect in
wccp interface inside web-cache redirect in
192.168.40.201 is my proxy server ip
But I think there is nothing happening in the ASA:
ASA(config)# sh wccp interfaces
WCCP interface configuration:
GigabitEthernet0/1
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
Management0/0
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
ASA(config)# sh wccp
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 0
Redirect access-list: wccp-traffic
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: wccp-servers
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Any help?
- Ribin
- Ribin
12-21-2010 07:00 AM
Fair enough. Not having implemented WCCP on the ASA, I can't be of help with this. However, a quick google search came up with this:
http://parvinderbhasin.blogspot.com/2009/06/squid-wccp-and-cisco-asa-setup.html
HTH
12-21-2010 07:04 AM
Yep...I did the configuration using the same url. Thanks for your time.
Can some one see whether there is any issue with my wccp configuration?
- Ribin
12-21-2010 03:25 PM
I see two redirect interfaces
wccp web-cache group-list wccp-servers redirect-list wccp-traffic
wccp interface Management web-cache redirect in
wccp interface inside web-cache redirect in
Where are your host browsing? Behind what interface?
Your hosts need to be behind the same interface as the wccp engine, that is a requirement
I hope it helps.
PK
12-21-2010 07:54 PM
All hosts are in 192.168.40.0/24 network and my proxy server is also in 40 n/w.
- Ribin
12-22-2010 05:42 AM
My scenario is like below:
Users (in 192.168.40.0/24 n/w) ------- Layer 3 switch(default g/w of all traffic is 192.168.30.1) ------------(192.168.30.8) ASA--------Internet
Management interface IP of ASA is 192.168.40.8 and inside interface IP is 192.168.30.8. Squid server is connected in Layer 3 switch with IP 192.168.40.201. All users are in 192.168.40.0/24 n/w.
- Ribin
12-22-2010 06:46 AM
Your hosts need to be behind the same interface as your squid. The squid needs to be able to send the pages to the hosts directly, not through the ASA.
To begin with I would try just the
wccp web-cache redirect-list wccp-traffic
wccp interface Management web-cache redirect in
Make sure the management interface has the command "no management-only".
Then see if the ASA redirects and if he sees the squid "sh wccp" commands.
I hope it helps.
PK
12-23-2010 03:31 AM
Hi,
My show wccp command output is below:
ASA(config)# sh wccp
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 0
Redirect access-list: wccp-traffic
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: wccp-servers
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
It seems nothing is happening. I did "no management-only command in my management interface.
- Ribin
01-05-2011 03:02 AM
Hey Ribin,
Use route-map to route port 80 (internet) traffic to Squid Proxy Server. Also you need to configure IPtables on squid accordingly (in case of transparent Proxy) Use below configuration on your cisco ASA (i.e. on your gateway). Check whether route-map command is available on your ASA.
access-list 111 deny tcp any any neq www (create access list for port 80 traffic)
access-list 111 deny tcp host 192.168.100.1 any (192.168.100.1 - squid proxy)
access-list 111 permit tcp any any
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop 192.168.100.1 (forward all port 80 traffic to squid- 192.168.100.1)
Cheers!!
01-05-2011 07:19 AM
Hi Santhosh,
Yes, route-map command is available in my ASA. Can I do the similar configuration in my Layer 3 switch? My L3 switch has ipservices ios and it supports route-map commands, rather than doing this in ASA?
- Ribin
01-06-2011 02:23 AM
Hi Ribin
Yes you can use route-map on your switch (but switch needs to be gateway for your network). I am using route map on my cisco 3750 series switch with Squid which is acting as gateway for my network... Let me know if you have any issues.
Cheers!!!
01-06-2011 11:33 PM
I will give it a try today and let u know....
- Ribin
01-07-2011 12:45 AM
Hey Santhosh,
Just a final review before I try this. My scenario is like below:
Users (in 192.168.40.0/24 n/w) ------- Layer 3 with vlan's 40 and 30(default g/w of all traffic is 192.168.30.1 which is ASA's inside IP) ------------(192.168.30.8) ASA--------Internet.
Users and proxy server (192.168.40.201) are in the same vlan 40. Where do I need to apply the policy map? I hope it is in vlan 40 in my layer 3 switch, right?
- Ribin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide