Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WCCP with https redirection on ASA

Hi All,

I have tried the wccp http redirection on firewall with squid server and it runs ok then i have tried the wccp https redirection on firewall, its not working. the request goes straight through the firewall. Is the wccp supports https redirection or is only working for http only... your answer will be appriciated.

Regards

25 REPLIES
New Member

Re: WCCP with https redirection on ASA

Were you able to make it work? Maybe you can help me.

https://supportforums.cisco.com/message/3074818#3074818

I'm sorry i don't an answer to your question.

Cisco Employee

Re: WCCP with https redirection on ASA

It should work with https also.

Make sure your wccp service is configured for both port 80 and 443, or else the ASA will not redirect https.

The ASA will talk to the engine and agree on the ports supported on the service and then redirect.

I hope it helps.

PK

New Member

Re: WCCP with https redirection on ASA

Hi PK,

thanks for reply. Is i have to use the dynamic service numbers? dynamic service numbers are from 0-254 so 443 doesn't in the range

I have created access list for redirection for https traffic and applied it on webcache but it didn't work and firewall passes this to the internet. Please help me to understand the service numbers and how to implement them. it will be very grateful.

Patricio,

PK is right, routing on your squid box will solve the problem. add the router (firewall outside interface) pointing to the the firewall inside interface IP.

Regards

New Member

Re: WCCP with https redirection on ASA

Hi PK,

I have found that service group 70 is for https so i have configured accordingly but its not working and not seeing any hits as well


Global WCCP information:
    Router information:
Router Identifier:                   193.193.1.130

Protocol Version:                    2.0

    Service Identifier: web-cache
Number of Cache Engines:             1
Number of routers:                   1
Total Packets Redirected:            531
Redirect access-list:                WCCP-http
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                   WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

   Service Identifier: 5
Number of Cache Engines:             0
Number of routers:                   0
Total Packets Redirected:            0
Redirect access-list:                WCCP-ftp
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                    WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

    Service Identifier: 70
Number of Cache Engines:             0
Number of routers:                   0
Total Packets Redirected:            0
Redirect access-list:                WCCP-https
Total Connections Denied Redirect:   0
Total Packets Unassigned:            0
Group access-list:                    WCCP-Proxy-Group

Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

New Member

Re: WCCP with https redirection on ASA

Hi,

After making few changes on squid for WCCP, the ASA now redirecting that traffic to squid but squid is giving error message unsupported type. will do some more investigation on this.. do any body know what specific changes are required on squid to make this working. squid is running in transparent mode.

regards

New Member

Re: WCCP with https redirection on ASA

Hi ,

Is any body know that WCCP works with squid for https traffic? I am finding difficulty in working with them and failed to have working setup. neeither i have found any thing on internet for this....

Regards

Bronze

Re: WCCP with https redirection on ASA

Greetings,

According to the main squid page, http is supported: "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and  more."

http://www.squid-cache.org/

There are a lot of good configuration examples on this site as well, but their ASA config example is not ideal.

http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2

The config example on the page linked above uses a redirect-list ACL with the www port defined. This is incorrect  because the ASA decides what services are sent to the web-cache server based on what is negotiated for that service with the server. This means two things. 1) You should define your redirect-list ACL with all IP traffic and let the negotiation with the squid wccp server. 2) you need a sepearate redirect service number for each service type; http, https, ftp, etc.

Corrected config:

! Configure hosts to be redirected, exempt the squid server

access-list wccp_redirect extended deny ip host $SQUID-IP any
access-list wccp_redirect extended permit ip WORKSTATIONS 255.255.255.0 any

! Define the default rule for http traffic
wccp web-cache redirect-list wccp_redirect password foo

! Additional rule for https traffic where 70 corresponds with the service # on the squid server

wccp 70 redirect-list wccp_redirect password foo

! Apply both rules to the inside interface

wccp interface inside web-cache redirect in
wccp interface inside  70 redirect in

I hope this helps.

Thanks,

Brendan

New Member

Re: WCCP with https redirection on ASA

Would this work for VPN users terminating in the ASA, either as clients or LAN-LAN tunnels?  It does appear it wouldn't since the VPN users would not be on the same interface as the squid box.

New Member

Re: WCCP with https redirection on ASA

I have a PIX 515.

I did exactly that what you have written, but https-traffic still coming without proxy directly through PIX to the internet.

With HTTP-traffic all OK. I see it on my squid proxy.

If i set proxy for HTTPS in InternetExplorer manually - https going through squid.

Is the PIX able to route HTTPS/FTP via WCCP ?

Thank you!

Cisco Employee

Re: WCCP with https redirection on ASA

What version is the PXI running?

HTTP should work as long as the squid service supports https.

PK

New Member

Re: WCCP with https redirection on ASA

oops, sorry for incomplete information about PIX

PIX515E with OS PIX 8.04

with HTTP here is no problem! Everything is going through GRE-tunnel on SQUID proxy.

But HTTPS or FTP (for ex.) going DIRECTLY through PIX, without any proxy and when look on tcpdump there is no any activity on squid server, when i going to https-sites

=(

New Member

WCCP with https redirection on ASA

I ran into same issue - i.e. Asa did not redirect 443 traffic.

What did you do on the squid inorder to tell asa that 443is working ??

Re: WCCP with https redirection on ASA

Same problem for me

WCCP + squid redirect http is OK

WCCP + squid redirect https is NOT OK

Re: WCCP with https redirection on ASA

Hello

With that: http AND https are redirect to squid

http_port 192.168.255.253:3129 intercept

wccp2_router 192.168.255.254

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=XXXXX

wccp2_service dynamic 70 password=XXXXX

wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

But I have SSL error ....

I don't see "CONNECT" request on squid log

If I set https_proxy to squid on my client, it's OK, but not in WCCP/redirect mode

I have Squid for Debian 6

Re: WCCP with https redirection on ASA

Cisco Employee

Re: WCCP with https redirection on ASA

You are right, it will not work, for the reason that you mentioned.

PK

New Member

Re: WCCP with https redirection on ASA

I will be looking into using the VPN Tunnel Default Gateway feature as discussed here: https://cisco-support.hosted.jivesoftware.com/thread/2011160

I should be able to set an internal layer 3 switch as the Tunne Default Gateway and have all VPN traffic go inside then be routed back out and subjected to the web filter (either inline or WCCP).  I'll post my result in a few weeks.

Cisco Employee

Re: WCCP with https redirection on ASA

It should work fine.

Make sure you squid service that the PIX is using has https and ftp ports in it.

PK

New Member

Re: WCCP with https redirection on ASA

ok, here is what PIX respond:

pix# show wccp

Global WCCP information:
    Router information:
        Router Identifier:                   192.168.1.1
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            1890789
        Redirect access-list:                wccp_redirect
        Total Connections Denied Redirect:   1
        Total Packets Unassigned:            68
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

    Service Identifier: 70
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp_redirect
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

and some strings from squid.conf:

wccp2_router 123.45.67.89

wccp2_service standard 0
wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source priority=240 port=443

Bronze

Re: WCCP with https redirection on ASA

and some strings from squid.conf:

wccp2_router 123.45.67.89

wccp2_service standard 0
wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source priority=240 port=443

The ASA is recognizing the squid server for service 70, but not redirecting anything. I'm not sure if this is the only problem, but I do see one mistake in your squid config.

The Format is:

  wccp2_service_info protocol= flags=,..

        priority= ports=,..

You are missing the "S" in "ports=443".

Thanks,

Brendan

Cisco Employee

Re: WCCP with https redirection on ASA

Is the https hitting the web-cache service redirect ACL?

If it is matching on this one that it will not move to the service 70.

PK

New Member

Re: WCCP with https redirection on ASA

no, how i can check this? on the squid server no any activity for https-requests.
New Member

Re: WCCP with https redirection on ASA

Vladimir,

you need to configure SSL on squid n order to support https on squid.. Note- Squid transparent mode will not work if you are going to use SSL on squid..

http://www.vmwareandme.com/2013/10/guide-how-to-redirect-http-traffic-from_23.html
     

did you figure it out ? 

did you figure it out ? 

i have the same issue, can you help me on this case ?

thanks.

/

New Member

To intercept SSL connections,

To intercept SSL connections, you need to have the following:

  1. Cisco device (router, switch, pix, whatever) configured for service 70.
  2. Squid also configured for service 70.
  3. https_port configured in Squid, set to transparent mode.
  4. Get the traffic coming down the GRE tunnel into Squid.

Regarding step 1, there's plenty of config around, on a router mine looks like this:

ip wccp 70 redirect-list 102

Step 2 is where you tell Squid that it needs to register with the router, so the router adds it to the list of available caches it can send traffic to.  The config to do this for service 70 looks like this:

wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=src_ip_hash,src_port_alt_hash priority=240 ports=443

That handles the WCCP side of things, but Squid needs a port set up to handle the traffic.  Here's what I've got:

https_port 3129 intercept ssl-bump cert=/var/squid/sslbump/localhost.crt key=/var/squid/sslbump/localhost.key

I'm not sure but I think any https_port running in intercept mode also needs ssl-bump specified, which means you need to generate a self-signed CA certificate/key pair before you can apply that part of the config.  Instructions on how to do this are pretty common so I won't repeat here.

Then lastly you need to get the traffic into Squid somehow.  Here's how I've done it in iptables, with traffic egressing the tun0 interface:

iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.159.192.24:3129

There are some clever tricks required to make all this work, mostly around what Squid does with the SSL connections that it sees.  It's (mostly) not compatible with upstream proxies.  You also need to stop it trying to bump connections if your clients aren't prepared to accept the forged certificate it returns when doing so.

I know your original question was around how to get SSL working on the Cisco side of things, but it is vital to understand how Squid handles this.  Check this guide for info: http://wiki.squid-cache.org/Features/SslPeekAndSplice

Good luck :)

21970
Views
0
Helpful
25
Replies