G
G
gadzhikuliev2018-07-09 17:13:00
Squid
gadzhikuliev, 2018-07-09 17:13:00

How to set up transparent proxying of Squid + Cisco ASA over WCCP?

Colleagues, good afternoon.
I am setting up a transparent Squid proxy with redirection from Cisco ASA to WCCP. Squid itself is already configured with authorization through Active Directory (Kerberos and LDAP groups), it works if the client has proxy settings. The OS used is CentOS 7, installed on a virtual machine. The physical interface address of the proxy server is 172.31.4.64 /24. The address of the ASA interface with which the device "looks" to the internal network is 172.31.0.4 /24.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:af:43:91 brd ff:ff:ff:ff:ff:ff
    inet 172.31.4.64/24 brd 172.31.4.255 scope global noprefixroute ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feaf:4391/64 scope link
       valid_lft forever preferred_lft forever

Set up tunneling in CentOS 7:
modprobe ip_gre
ip tunnel add wccp0 mode gre remote 172.31.0.4 local 172.31.0.150 dev ens32
ip link set wccp0 up

Then I created the file /etc/sysconfig/network-scripts/ ifcfg-wccp0 . Here it is already unclear how to describe it, when in the case of a tunnel on the ASA, the external and internal addresses of the tunnel are the same:
ONBOOT=YES
DEVICE=wccp0
TYPE=GRE
IPADDR=172.31.0.150                    # Внутренний адрес туннеля
MY_INNER_IPADDR=172.31.0.150           # Внутренний адрес туннеля
MY_OUTER_IPADDR=172.31.4.64            # Внешний адрес, на котором будем создавать туннель
PEER_INNER_IPADDR=172.31.0.4           # Внутренний адрес туннеля с другой стороны
PEER_OUTER_IPADDR=172.31.0.4           # Внешний адрес, куда будет создаваться туннель

After that, the network disappears altogether, which is understandable. I tried to connect a second physical network interface and assigned it the address 172.31.0.150/24, applied different options on how to set it up, but nothing.
Squid settings:
http_port 172.31.4.64:3128
http_port 172.31.0.150:3127 intercept

wccp2_router 172.31.0.4
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=cisco

ASA settings. 172.31.10.71 - the address of the test machine, while I'm checking access on it.
object network local_pc host 172.31.10.71
access-list redirect_to_squid extended permit tcp object local_pc any eq www
wccp web-cache redirect-list redirect_to_squid password cisco
wccp interface inside web-cache redirect in

If who faced, I ask to help. Thank you in advance.

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question