Cisco ASA and Squid with WCCP2

by Ruslan   Last Updated July 10, 2018 07:00 AM

Configure a transparent proxy Squid redirection with a Cisco ASA via WCCP. Squid is already configured with authorization through Active Directory (Kerberos and LDAP groups), works if the client to register proxy settings. The OS used is CentOS 7, installed on the virtual machine. The IP address of the physical interface of the proxy server is 172.31.4.64 / 24. The IP adress of the ASA internal interface is 172.31.0.4 / 24.

: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:af:43:91 brd ff:ff:ff:ff:ff:ff
    inet 172.31.4.64/24 brd 172.31.4.255 scope global noprefixroute ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feaf:4391/64 scope link
       valid_lft forever preferred_lft forever

Configured tunneling in CentOS 7:

modprobe ip_gre
ip tunnel add wccp0 mode gre remote 172.31.0.4 local 172.31.0.150 dev ens32
ip link set wccp0 up

Then I created /etc/sysconfig/network-scripts/ifcfg-eth0 file. I do not understand how to describe it when in the case of a tunnel on the ASA the external and internal address of the tunnel is the same:

ONBOOT=YES
DEVICE=ens32
IPADDR=172.31.0.150
MY_INNER_IPADDR=172.31.0.150
MY_OUTER_IPADDR=172.31.4.64
PEER_INNER_IPADDR=172.31.0.4
PEER_OUTER_IPADDR=172.31.0.4

After that the network disappears at all, which is understandable. Tried to connect the second physical network interface and assigned it the address 172.31.0.150 / 24, applied different options how to configure, but in any way. Squid Settings:

http_port 172.31.4.64:3128
http_port 172.31.0.150:3127 intercept

wccp2_router 172.31.0.4
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=cisco

ASA settings. 172.31.10.71 - the address of the test machine, while on it check.

object network local_pc host 172.31.10.71
access-list redirect_to_squid extended permit tcp object local_pc any eq www
wccp web-cache redirect-list redirect_to_squid password cisco
wccp interface inside web-cache redirect in

If who faced, please help. Thanks in advance.



Related Questions


Missing ssl_crtd folder with Squid 3.5.2 / CentOS

Updated April 06, 2015 20:00 PM

squid bypass for a domain

Updated January 18, 2018 02:00 AM

Squid loads webpages incorrectly

Updated September 30, 2015 12:00 PM

Display a message to all Squid Proxy users

Updated October 06, 2015 22:00 PM

squidguard not blocking https sites.

Updated November 17, 2015 18:00 PM