<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hello All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m trying to set up a transparent proxy for http and https using Cisco Routers and Squid. I have followed the configuration examples that are listed under the wccp2 overview section (<a href="http://wiki.squid-cache.org/Features/Wccp2">http://wiki.squid-cache.org/Features/Wccp2</a>)
of the squid wiki but I’m still having some issues.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a little lab set up with a Cisco 7200 Router and a VM with CentOS running the proxy.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The “WAN” IP of the Router is 192.168.0.23. The IP of the Squid Proxy is 192.168.0.24 and both have the default gateway of 192.168.0.1 which is the “ISP”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Client is sitting on a LAN behind the Router in the 10.10.10.0/24 subnet and is also sitting behind nat.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I believe that the router and proxy are communicating properly based on the information in the show ip wccp command on the router as it shows clients and routers as well as showing that packets are being forwarded:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt">R3#show ip wccp<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">Global WCCP information:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Router information:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Router Identifier: 192.168.0.23<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Configured source-interface: GigabitEthernet5/0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Service Identifier: web-cache<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Protocol Version: 2.00<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Number of Service Group Clients: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Number of Service Group Routers: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Packets Redirected: 1079<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Process: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> CEF: 1079<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Service mode: Open<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Service Access-list: -none-<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Packets Dropped Closed: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Redirect access-list: 100<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Packets Denied Redirect: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Packets Unassigned: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Group access-list: 10<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Messages Denied to Group: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Authentication failures: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total GRE Bypassed Packets Received: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Process: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> CEF: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> GRE tunnel interface: Tunnel1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Service Identifier: 70<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Protocol Version: 2.00<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Number of Service Group Clients: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Number of Service Group Routers: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Packets Redirected: 500<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Process: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> CEF: 500<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Service mode: Open<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Service Access-list: -none-<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Packets Dropped Closed: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Redirect access-list: 100<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Packets Denied Redirect: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Packets Unassigned: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Group access-list: 10<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Messages Denied to Group: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total Authentication failures: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total GRE Bypassed Packets Received: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Process: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> CEF: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> GRE tunnel interface: Tunnel0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal">Here is the relevant squid wccp configuration:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt">----Output removed----<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"># Squid normally listens to port 3128<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">http_port 3128<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">http_port 0.0.0.0:3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"># WCCPv2 Parameters<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_router 192.168.0.23<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_forwarding_method 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_return_method 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_assignment_method hash<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_service standard 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_service dynamic 70<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_service_info 70 protocol=tcp flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=231 ports=443<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">---Output remove----<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I think that the issue lies with the iptables configuration as I do not see any packets been processed in the nat table. I have tried a few different methods such as:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT –to-port 3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 443 -j REDIRECT –to-port 3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t nat -A POSTROUTING -j MASQUERADE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">or<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.0.24:3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t nat -A PREROUTING -p tcp –dport 443 -j DNAT –to-destination 192.168.0.24:3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t nat -A POSTROUTING -j MASQUERADE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal">I have also tried adding ACCEPT commands to the PREROUTING zone just in case the proxy is dropping the packets right away but that also doesn’t work.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The proxy functions perfectly when the client is configured to use a proxy so there doesn’t appear to be any issues with routing or anything like that, it’s just the transparent proxying that isn’t working.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If anyone has any suggestions of what I could try that would be greatly appreciated. Let me know if anything is unclear or if you need further clarification.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
<p class="MsoNormal">Cooper Waldon<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#333399;mso-fareast-language:EN-CA">Cooper Waldon</span></b><b><span style="color:lime;mso-fareast-language:EN-CA"> </span></b><b><span style="color:#77B800;mso-fareast-language:EN-CA">l </span></b><b><span style="color:#333399;mso-fareast-language:EN-CA">Network
Engineer</span></b><b><span style="color:navy;mso-fareast-language:EN-CA"> </span></b><b><span style="color:#77B800;mso-fareast-language:EN-CA">l</span></b><b><span style="color:#99CC66;mso-fareast-language:EN-CA">
</span></b><b><span style="color:#333399;mso-fareast-language:EN-CA">OTN</span></b><b><span style="color:#00B050;mso-fareast-language:EN-CA">
</span></b><b><span style="color:#77B800;mso-fareast-language:EN-CA">l</span></b><b><span style="color:lime;mso-fareast-language:EN-CA">
</span></b><b><span style="color:#333399;mso-fareast-language:EN-CA">416-446-4110 x 4473
</span></b><b><span style="color:#77B800;mso-fareast-language:EN-CA">l</span></b><b><span style="color:navy;mso-fareast-language:EN-CA"> </span></b><a href="http://www.otn.ca/"><b><span style="color:#333399;mso-fareast-language:EN-CA">www.otn.ca</span></b></a><b><span style="color:navy;mso-fareast-language:EN-CA">
</span></b><b><span style="color:#77B800;mso-fareast-language:EN-CA">|</span></b><b><span style="color:navy;mso-fareast-language:EN-CA">
</span></b><b><span style="color:#333399;mso-fareast-language:EN-CA">Service Desk 1-855-654-0888 x2</span></b><span style="color:#1F497D;mso-fareast-language:EN-CA"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>