Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WCCP with https redirection on ASA

Hi All,

I have tried the wccp http redirection on firewall with squid server and it runs ok then i have tried the wccp https redirection on firewall, its not working. the request goes straight through the firewall. Is the wccp supports https redirection or is only working for http only... your answer will be appriciated.

Regards

  • Firewalling
26 REPLIES
New Member

Re: WCCP with https redirection on ASA

Were you able to make it work? Maybe you can help me.

https://supportforums.cisco.com/message/3074818#3074818

I'm sorry i don't an answer to your question.

Cisco Employee

Re: WCCP with https redirection on ASA

It should work with https also.

Make sure your wccp service is configured for both port 80 and 443, or else the ASA will not redirect https.

The ASA will talk to the engine and agree on the ports supported on the service and then redirect.

I hope it helps.

PK

New Member

Re: WCCP with https redirection on ASA

Hi PK,

thanks for reply. Is i have to use the dynamic service numbers? dynamic service numbers are from 0-254 so 443 doesn't in the range

I have created access list for redirection for https traffic and applied it on webcache but it didn't work and firewall passes this to the internet. Please help me to understand the service numbers and how to implement them. it will be very grateful.

Patricio,

PK is right, routing on your squid box will solve the problem. add the router (firewall outside interface) pointing to the the firewall inside interface IP.

Regards

New Member

Re: WCCP with https redirection on ASA

Hi PK,

I have found that service group 70 is for https so i have configured accordingly but its not working and not seeing any hits as well


Global WCCP information:
    Router information:
Router Identifier:                   193.193.1.130

Protocol Version:                    2.0

    Service Identifier: web-cache
Number of Cache Engines:             1
Number of routers:                   1
Total Packets Redirected:            531
Redirect access-list:                WCCP-http
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                   WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

   Service Identifier: 5
Number of Cache Engines:             0
Number of routers:                   0
Total Packets Redirected:            0
Redirect access-list:                WCCP-ftp
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                    WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

    Service Identifier: 70
Number of Cache Engines:             0
Number of routers:                   0
Total Packets Redirected:            0
Redirect access-list:                WCCP-https
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                    WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

New Member

Re: WCCP with https redirection on ASA

Hi,

After making few changes on squid for WCCP, the ASA now redirecting that traffic to squid but squid is giving error message unsupported type. will do some more investigation on this.. do any body know what specific changes are required on squid to make this working. squid is running in transparent mode.

regards

New Member

Re: WCCP with https redirection on ASA

Hi ,

Is any body know that WCCP works with squid for https traffic? I am finding difficulty in working with them and failed to have working setup. neeither i have found any thing on internet for this....

Regards

Bronze

Re: WCCP with https redirection on ASA

Greetings,

According to the main squid page, http is supported: "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and  more."

http://www.squid-cache.org/

There are a lot of good configuration examples on this site as well, but their ASA config example is not ideal.

http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2

The config example on the page linked above uses a redirect-list ACL with the www port defined. This is incorrect  because the ASA decides what services are sent to the web-cache server based on what is negotiated for that service with the server. This means two things. 1) You should define your redirect-list ACL with all IP traffic and let the negotiation with the squid wccp server. 2) you need a sepearate redirect service number for each service type; http, https, ftp, etc.

Corrected config:

! Configure hosts to be redirected, exempt the squid server

access-list wccp_redirect extended deny ip host $SQUID-IP any
access-list wccp_redirect extended permit ip WORKSTATIONS 255.255.255.0 any

! Define the default rule for http traffic
wccp web-cache redirect-list wccp_redirect password foo

! Additional rule for https traffic where 70 corresponds with the service # on the squid server

wccp 70 redirect-list wccp_redirect password foo

! Apply both rules to the inside interface

wccp interface inside web-cache redirect in
wccp interface inside  70 redirect in

I hope this helps.

Thanks,

Brendan

New Member

Re: WCCP with https redirection on ASA

Would this work for VPN users terminating in the ASA, either as clients or LAN-LAN tunnels?  It does appear it wouldn't since the VPN users would not be on the same interface as the squid box.

New Member

Re: WCCP with https redirection on ASA

I have a PIX 515.

I did exactly that what you have written, but https-traffic still coming without proxy directly through PIX to the internet.

With HTTP-traffic all OK. I see it on my squid proxy.

If i set proxy for HTTPS in InternetExplorer manually - https going through squid.

Is the PIX able to route HTTPS/FTP via WCCP ?

Thank you!

21618
Views
0
Helpful
26
Replies