[c-nsp] Forwarding http traffic to web filtering service

Adrian Chadd adrian at creative.net.au
Wed Jun 20 18:48:03 EDT 2007 

On Wed, Jun 20, 2007, Brian wrote:
> Hmmmm...according to that, the squid box must be on the inside of the
> network.  If I want to forward to an outside IP address, WCCP will not work?

I don't really know the WCCPv2 ASA support that well (as I don't have
a PIX/ASA device at home to test stuff with!)  but there's no reason
why on a router you have to forward to a host thats considered "inside"
(ie, the same network range/interface as your clients.)

http://wiki.squid-cache.org/ConfigExamples/ has a few Squid+WCCPv2
examples.  I know of at least one ISP that hangs their proxy off on
a seperate VLAN to their clients and redirects traffic to that.




Adrian


> On 6/20/07, Bill Nash <billn at billn.net> wrote:
> >
> >
> > Take a look at this:
> >
> > http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-80c70feffdac51169ae17379761ad9e32e5025ed
> >
> > - billn
> >
> >
> > On Wed, 20 Jun 2007, Brian wrote:
> >
> > > How does the WCCP redirect work on the ASA?  I want to forward all http
> > > traffic to a specific IP address on the Internet and also forward that
> > > traffic to port 3128.  I don't see a command to point to an IP address
> > under
> > > wccp.
> > >
> > > On 6/20/07, Brian <bms314 at gmail.com> wrote:
> > > >
> > > > Thanks for all the replies.  I will try to enable WCCP on our ASA
> > later
> > > > today.  Does anyone have a working config for this in production?
> > > >
> > > > On 6/20/07, Bill Nash <billn at billn.net> wrote:
> > > > >
> > > > >
> > > > > If your device doesn't support WCCP, you can emulate this with a NAT
> > > > > directive in your ASA. I don't know the specific syntax offhand
> > (I've no
> > > > > PIX's in my network, but the iptables equivalant is:
> > > > > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> > > > > 192.168.100.1:3128
> > > > >
> > > > > I don't think your route-map option will work, incidentally, unless
> > > > > you're
> > > > > changing the next-hop to the inside interface of a NAT layer that
> > > > > implements what I describe above.
> > > > >
> > > > > - billn
> > > > >
> > > > > On Wed, 20 Jun 2007, Adrian Chadd wrote:
> > > > >
> > > > > > On Wed, Jun 20, 2007, Brian wrote:
> > > > > > > We're trying to forward all http traffic to a web filtering
> > service
> > > > > on the
> > > > > > > Internet.  They require the http traffic forwarded to a name and
> > > > > then
> > > > > > > forwarded to port 3128.  I was thinking of creating a route-map
> > and
> > > > > setting
> > > > > > > the next-hop to be the IP address.  How can I also forward this
> > > > > traffic to a
> > > > > > > specific port from my router (or my ASA) so it acts somewhat
> > like a
> > > > > proxy?
> > > > > > > Also, is there a way to point to the name rather than an IP
> > address?
> > > > > >
> > > > > > Look at WCCPv2 support. Almost all cisco routers these days
> > support it
> > > > > > in some form or other. (My 827 here at home, for example, doesn't.
> > :)
> > > > > > I believe later ASA (7.x?) supports WCCPv2.
> > > > > >
> > > > > > Many web proxies have WCCP/WCCPv2 support. I can help you with
> > Squid,
> > > > > if
> > > > > > thats what it is on port 3128, or you can talk to your vendor.
> > > > > >
> > > > > > With WCCPv2, the proxy actually asks the router (nicely!) to join
> > the
> > > > > > service group; so you don't have to hard-code in an IP in the
> > router
> > > > > > (unless you specifically lock it down with an ACL) and you can use
> > > > > > MD5 passwords to further limit joining the service group. You can
> > > > > > (assuming the proxy software supports it) run >1 proxy talking to
> > >1
> > > > > > router. This gives you failover and load balancing/distribution.
> > > > > > (Which is what I guess you want to point it at a name for rather
> > > > > > than an IP address.)
> > > > > >
> > > > > > All in all, its a much better alternative to route-map next-hop
> > > > > > forwarding. Although there's apparently a method to do a
> > conditional
> > > > > > next-hop depending on a rtr object (ICMP ping, for example) but
> > the
> > > > > > one setup I wanted to use it for (on the 3560 switch) turned out
> > to
> > > > > > be documented, but then documented as a documentation mistake and
> > > > > > not implemented.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Adrian
> > > > > >
> > > > > > _______________________________________________
> > > > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > > > >
> > > > >
> > > >
> > > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -

More information about the cisco-nsp mailing list