I'm trying to create a WCCP connection between my Squid server (on 10.9.10.10 - inside LAN) and my ASA 5510 (inside: 10.9.254.1 - outside 201.234.x.x). WCCP/GRE tunnel works perfect, they see each other, i've seen I_See_You and Here_I_Am packets. The problem is that when ASA gets the packet, it redirects alright to the Squid but with the wrong ID, because it's using its outside IP which cannot be reached from inside.
I found out that Router ID is created using higher IP configured. I tried unassigning ip addresses in every interface except inside, creating WCCP web-cache, and it does work, but the moment i assign the rest of the interfaces IPs it takes outside IP as ID again.
Is there any way that this Router ID can be changed manually?
Unfortunately the id cannot be changed. It will always pick the high one.
You need to have the engine support it and have a route back to it through the ASA.
I hope it helps.
"show wccp" statistics will show you redirect counters and if the engine is built properly.
If those look ok it is probably working.
Of course check if pages that the engine is set to block are actually blocked.
Everything seems to be working in the ASA, but i can't get to any page. Not even Google, and there's no blocking there.
AR01-ASA01# sh wccp
Global WCCP information:
Router Identifier: 201.234.XX.XXX
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 857
Redirect access-list: SquidGRE
Total Connections Denied Redirect: 0
Total Packets Unassigned: 1
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Probably the problem is with the route id.
The HELLOS are exchanged, but probably the engine is rejecting the wccp GRE packets from the router id.
Also the wccp engine should be able to directly talk to the host that is browsing, you need to ensure that is allowed also.
I hope it helps.
Ok, first of all, thanks for replying every time. I really appreciate it.
So, probably i should configure Squid wccp server so it matches Router ID in ASA. But the problem is that i can't get to the public IP since ASA won't let me go through. How can I make it work?
Change your routing so that the traffic destined to the routing id hits the ASA inside.
I don't think that is your problem now.I believe that Squid ignores that router id.
Ok, i'm starting to feel like a newbie.
How can i add a route like that? And where?
Squid is connected to Layer 3 switch Cisco 3560, which is connected to ASA.
Where should I add a route? and how? ip route xxx xx xx xx?