N091010-ASA_WCCP_LINUX



How to set up WCCP with a Cisco ASA and Squid proxy-web-cache on Cent-OS. The basics of this article will also work with other Linux distributions thought specific commands may vary. The Cisco ASA uses Generic Router Encapsulation (GRE) to redirect packets to the web-cache proxy, in this case Squid.

This article isn't going to be overly specific though it will provide key information for your success.

The following gives information on the network and network devices:
    Network:        192.168.0.0/24
    Cisco ASA:      192.168.0.1 
    IP of Squid:    192.168.0.25
I expect that you can you adjust the address information on your own moving forward

On the Linux server you will need to set up a GRE interface. You may have a kernel which is already configured for GRE or you may load it as a module. In this example GRE is a module.

Create the GRE interface
  1. Create the file /etc/sysconfig/network-scripts/ifcfg-gre0 and populate it with the following information
     DEVICE=gre0
     BOOTPROTO=static
     IPADDR=127.0.0.2
     NETMASK=255.255.255.252
     ONBOOT=YES
     IPV6INIT=NO
    
    NOTES:
    1) The GRE interface is there to receive packets from the WCCP service on the ASA. You will only see RX packets on this interface.
    2) It doesn't matter what IP address you use here aslong as it doen't overlap with anything else on the network.

  2. Load GRE as a kernel module
    modprobe ip_gre

  3. Now restart the network service in order to establish the GRE network Interface
    service network restart

  4. Confirm that the GRE is working and listening
    iptunnel show
    sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc
    gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
    

  5. Mofify the file /etc/sysctl.conf to the following:
    # Controls IP packet forwarding
    net.ipv4.ip_forward = 1
    
    We need to do this to move the packets from the GRE tunnel to the regular interface where squid lives.

  6. You are going to use IPTABLES to transfer the GRE tunneled packets from the ASA to the web-cache proxy. So issue the command

    iptables -t nat -A PREROUTING -s 192.168.0.00/255.255.255.0 -d !192.168.0.0/255.255.255.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.25:3128

Squid Web-Cache Proxy Configuration
You will need to edit the file /etc/squid/squid.conf
  1. Permit the local network hosts access
     acl our_networks src 192.168.0.0/24
     http_access allow our_networks
    
  2. Tell squid to use WCCP and to operate in Transparent mode
     http_port 192.168.0.25:3128  transparent
     wccp2_router 192.168.0.1
     wccp2_forwarding_method 1
     wccp2_return_method 1
     wccp2_service standard 0
     wccp_version 4
     wccp2_address 192.168.0.25
    
  3. Exit your editor, saving your changes.
  4. Restart Squid with the command service squid restart
Survival
To make this survive reboot, I added the following to /etc/rc.d/rc.local

#WCCP Proxy-Cache load up on boot
modprobe ip_gre

iptables -t nat -A PREROUTING -s 192.168.00.00/255.255.255.0 -d ! 192.168.00.00/255.255.255.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.00.25:3128

service squid start

Squid is set to OFF at startup as I wanted to ensure that all of the GRE and IPTABLES settings took hold first. Plus, seeing as WCCP on the ASA will not start redirection until SQUID is alive, users will still be able to get online and do their work.


Cisco ASA Commands
The ASDM interface does make it reasonably simple to command and control the Cisco Firewall product. I am NOT going to provide the screen shots required to demonstrate the configuration. I am going to describe how to configure via the GUI and give you the command line equivalents.

Log on to the firewall GUI and access the Configuration portion and perform the following steps:
  1. Navigate to Configuration > Firewall > Advanced > ACL Manager
    1. Select Add ACL
    2. In the ACL Name box enter the name for the ACL
      I used Proxy-Server, remember that ACL names can have no spaces
    3. Select Add ACE and fill in the fields as follows
      Action: - Permit
      Source: - IP Address of squid - I used LINUX_LAN-25
      Destin: - IP Address if ASA - I used 192.168.0.1
      Service:- UDP  For greater security you can specify the GRE tunnel port 2048
      Descrip:- GRE Tunnel for WCCP
      
      Add other servers by repeating step 1.3 above
    OR issue the commands:
    access-list Proxy-Server extended permit udp host LINUX_LAN-25 host 192.168.0.1 log debugging
    access-list Proxy-Server remark Redirect for HTTP traffic

  2. Apply your changes and save the running config to flash
  3. Navigate to Configuration > Device Management > Advanced > WCCP > Service Groups
    1. Select Add and enter in the information as follows
      Service - web-cache
      Redirect list: inside_access_in
      Group list : Proxy-Server
      
    OR
    Issue the command
    wccp web-cache redirect-list inside_access_in group-list Proxy-Server
  4. Apply your changes and save the running config to flash
  5. Navigate to Configuration > Device Management > Advanced > WCCP > Redirection
    1. Select Add and enter in the information as follows
      Interface - inside
      service group: web-cache
      
  6. Apply your changes and save the running config to flash
  7. Issue the command show wccp
    Global WCCP information:
        Router information:
    	Router Identifier:                   209.217.97.162 
    	Protocol Version:                    2.0
    
        Service Identifier: web-cache
    	Number of Cache Engines:             1  this line is important
    	Number of routers:                   1  so is this one
    	Total Packets Redirected:            3
    	Redirect access-list:                inside_access_in
    	Total Connections Denied Redirect:   0
    	Total Packets Unassigned:            0
    	Group access-list:                   Proxy-Server
    	Total Messages Denied to Group:      132
    	Total Authentication failures:       0
    	Total Bypassed Packets Received:     0
    
    Indicates that you are good to go and if it isn't working now, look to your squid configuration.


Trouble Shooting
Here is where you can look if you have problems:
On the ASA the following commands will help
  • debug wccp events (no debug all turns this off)
  • debug wccp packets (no debug all turns this off)
  • show wccp
On Linux the following commands will help
  • netstat -n and look for the gre tunnel
    udp        0      0 192.168.0.25:2048           192.168.0.1:2048            ESTABLISHED
    
  • netstat -an and make sure squid is listening
    tcp        0      0 192.168.0.25:3128           0.0.0.0:*                   LISTEN
    
  • tail -f /var/log/squid/access.log see if anything is being logged by squid
    1255190134.552    484 192.168.0.5 TCP_MISS/200 8778 GET http://www.esubnet.com/ - DIRECT/209.217.97.164 text/html
    

If you are including the Squint log analyzer as part of the implementation be sure to read KB-L091028-Crontab to ensure everything runs smoothly.

If this hasn't helped, consider engaging eSubnet to make sure it all works.



Articles
Networking

N090307-Duplex Mismatch
N090905-Multi_IP
N090825-Clear_ARP
N20110904-Mask_table
N091010-ASA_WCCP_LINUX
N20110930-MRTG
Servers

W090905-DHCP-Options
L091028-Crontab
L100519 Linux Files 1
S121220-xymon_cc
Misc.

M110419-Testing EMAIL
M20110818 - Malware Education

eSubnet Fragment

Receive insights into networking, security
and IT management from our newsletter