Dear all,
I am trying to configure www/squid, version 3.4, on a FreeBSD 10.1-RELEASE to communicate through wccp on a Cisco ASA 5505 router.
The FreeBSD squid server ip is: 172.17.0.61
The cisco ASA have three interfaces (loc: 172.17.0.0/16, DMZ 192.168.0.0/24, net: 123.123.123.0/26(fictional)
Until now, what have I configured:
/etc/rc.conf
/boot/loader.conf
/etc/sysctl.conf
/usr/local/etc/ipfw.rules
/usr/local/etc/squid/squid.conf
I had enabled the wccp in the ASA with the following commands:
But, no matter what, this is what I get:
And in the FreeBSD box:
I know the following two limitations that Cisco warns about (https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration)
"1) The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance."
The server 172.17.0.61 its in the same vlan of clients (I had tried to put it in some port of the clients switch and in another port, in the same vlan in the ASA, still no go).
"2)Router ID is chosen as the highest IP address configured on the ASA. If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface."
Since I do not receive any address from
Does anybody have some tip to what I have to do to make the coordination work?
I am trying to configure www/squid, version 3.4, on a FreeBSD 10.1-RELEASE to communicate through wccp on a Cisco ASA 5505 router.
The FreeBSD squid server ip is: 172.17.0.61
The cisco ASA have three interfaces (loc: 172.17.0.0/16, DMZ 192.168.0.0/24, net: 123.123.123.0/26(fictional)
Until now, what have I configured:
/etc/rc.conf
Code:
...
ifconfig_re0="inet 172.17.0.61 netmask 255.255.0.0"
defaultrouter="172.17.0.254"
cloned_interfaces="gre0"
ifconfig_gre0="1.1.1.1 1.1.1.2 netmask 255.255.255.252 link2 tunnel 172.17.0.61 172.17.0.254 up"
squid_enable="YES"
firewall_enable="YES"
firewall_type="open"
firewall_script="/usr/local/etc/ipfw.rules"/boot/loader.conf
Code:
dummynet_load="YES"
if_gre_load="YES"/etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1/usr/local/etc/ipfw.rules
Code:
#!/bin/sh
/sbin/ipfw -f flush
/sbin/ipfw add 60000 allow ip from any to any
/sbin/ipfw add 10 fwd 127.0.0.1,3129 tcp from any to any 80 recv gre0/usr/local/etc/squid/squid.conf
Code:
http_port 3129 intercept
wccp2_router 172.17.0.254
wccp2_assignment_method hash
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
wccp_version 4
forwarded_for on
...I had enabled the wccp in the ASA with the following commands:
asa(config)# access-list wccp-traffic extended permit tcp 172.17.0.0 255.255.0.0 any eq www
asa(config)# access-list wccp-servers extended permit ip host 172.17.0.61 any
asa(config)# wccp web-cache redirect-list wccp-traffic group-list wccp-servers
asa(config)# wccp interface loc web-cache redirect inBut, no matter what, this is what I get:
asa# show wccp web-cache view
Code:
WCCP Routers Informed of:
-none-
WCCP Cache Engines Visible:
-none-
WCCP Cache Engines NOT Visible:
-none- # ipfw show
Code:
00010 0 0 fwd 127.0.0.1,3129 tcp from any to any dst-port 80 recv gre0I know the following two limitations that Cisco warns about (https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration)
"1) The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance."
The server 172.17.0.61 its in the same vlan of clients (I had tried to put it in some port of the clients switch and in another port, in the same vlan in the ASA, still no go).
"2)Router ID is chosen as the highest IP address configured on the ASA. If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface."
Since I do not receive any address from
show wccp web-cache view I had enabled all traffic from the net interface to 172.17.0.61 in the loc interface, then tried all pingable ip address from the net interface in the above configurations, getting the same results.Does anybody have some tip to what I have to do to make the coordination work?