cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2100
Views
0
Helpful
1
Replies

ASA w WCCP redirecting to Squid on CentOS- TCP re-transmissions

Dennis Topo Jr
Level 1
Level 1

 

Hello all... hoping somebody can help me here. Having a bear of a time getting WCCP redirection working for http clients using squid on CentOs as a proxy and a ASA as my firewall device. I've followed 10 or so articles to no avail. This one here seems concise enough and I followed it verbatim. Except for the iptables -t nat -A POSTROUTING -j MASQUERADE Line at the end...did not see that anywhere else and read it can cause issues with firewalls.

 

http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2#Cisco_ASA

I have connectivity throughout the network. Squid is working and works fine if I point my browsers to it, clients can get out.... But just can't get the transparent redirect\intercept to work w WCCP.

I've attached a screen shot of a wire shark capture at the etho of the squid box. When requesting a website from a windows client (novell.com for example) I get a tcp packet from the ASA to the Proxy as it should, with the WCCP\GRE packet with the web request inside. After that it's a tcp out of order packet followed by a slew of TCP retransmits from the requesting client to the web site – with every other packet having the WCCP\GRE header.

I could certainly post my pertinent configs but I think they are solid as per the above article and all else I've researched.

Here's the basic topology:

ASA- inside- (also my WCCP ID)- 192.168.10.5

Squid proxy (3128)- 192.168.1.19 w a gre interface (wccp0) redirecting to port 3129

Windows client- 192.168.1.2

Cisco Adaptive Security Appliance Software Version 8.4(2)
Squid V 3.4

CentOS 6.5

 

Any help is appreciated- would love to get this to work ! Dennis

1 Reply 1

Dennis Topo Jr
Level 1
Level 1

Did some more captures...found that my redirects were not getting decapsulated on the squid box. It was my iptables line in CentOS

Needed to use the DNAT directive as such...NOT the Redirect, as you may see in other posts.

iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.19:3129

Blogged my set up too...for those interested:

http://techjuice.blogspot.com/2014/03/cisco-asa-with-wccp-redirect-to-squid.html

 

Dennis

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: