[c-nsp] Forwarding http traffic to web filtering service

Rolf Mendelsohn rolf-web at cyberops.biz
Wed Jun 20 20:01:21 EDT 2007


Hi Guys,

I strongly suspect that from a Topology perspective the following would be 
best / simplest.


OUTSIDE(S)
	|
   Cisco------WCCP_Box
	|
INSIDE(S)

I would say put it on a seperate ethernet, or Vlan. Then u can ACL it for 
security, inside/outide packets work that way, easier to troubleshoot etc. 
etc.

Lastly bear in mind that if u offer 'Dedicated' or CIR bandwidth & shared 
Bandwidth, then the CIR or Gold, so be denied (via ACL) from being cached.
Otherwise it falls into the same 'pool' as the rest.

Also watch out, there are always 1-10 funny/very strange applications, which 
*can* brake in strange ways, So let your customers know that you are using a 
transparent proxy & if u come across an HTTP related problem, which is 
unexplainable, try and deny those addresses from being proxied.

Also try and deny Prefixes, which are local, i.e. only use the proxy on 
your 'expensive' international traffic interface(s)

HTH
/rolf

On Wednesday 20 June 2007 21:37:13 Bill Nash wrote:
> Take a look at this:
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-80c70feffdac511
>69ae17379761ad9e32e5025ed
>
> - billn
>
> On Wed, 20 Jun 2007, Brian wrote:
> > How does the WCCP redirect work on the ASA?  I want to forward all http
> > traffic to a specific IP address on the Internet and also forward that
> > traffic to port 3128.  I don't see a command to point to an IP address
> > under wccp.
> >
> > On 6/20/07, Brian <bms314 at gmail.com> wrote:
> > > Thanks for all the replies.  I will try to enable WCCP on our ASA later
> > > today.  Does anyone have a working config for this in production?
> > >
> > > On 6/20/07, Bill Nash <billn at billn.net> wrote:
> > > > If your device doesn't support WCCP, you can emulate this with a NAT
> > > > directive in your ASA. I don't know the specific syntax offhand (I've
> > > > no PIX's in my network, but the iptables equivalant is:
> > > > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> > > > 192.168.100.1:3128
> > > >
> > > > I don't think your route-map option will work, incidentally, unless
> > > > you're
> > > > changing the next-hop to the inside interface of a NAT layer that
> > > > implements what I describe above.
> > > >
> > > > - billn
> > > >
> > > > On Wed, 20 Jun 2007, Adrian Chadd wrote:
> > > > > On Wed, Jun 20, 2007, Brian wrote:
> > > > > > We're trying to forward all http traffic to a web filtering
> > > > > > service
> > > >
> > > > on the
> > > >
> > > > > > Internet.  They require the http traffic forwarded to a name and
> > > >
> > > > then
> > > >
> > > > > > forwarded to port 3128.  I was thinking of creating a route-map
> > > > > > and
> > > >
> > > > setting
> > > >
> > > > > > the next-hop to be the IP address.  How can I also forward this
> > > >
> > > > traffic to a
> > > >
> > > > > > specific port from my router (or my ASA) so it acts somewhat like
> > > > > > a
> > > >
> > > > proxy?
> > > >
> > > > > > Also, is there a way to point to the name rather than an IP
> > > > > > address?
> > > > >
> > > > > Look at WCCPv2 support. Almost all cisco routers these days support
> > > > > it in some form or other. (My 827 here at home, for example,
> > > > > doesn't. :) I believe later ASA (7.x?) supports WCCPv2.
> > > > >
> > > > > Many web proxies have WCCP/WCCPv2 support. I can help you with
> > > > > Squid,
> > > >
> > > > if
> > > >
> > > > > thats what it is on port 3128, or you can talk to your vendor.
> > > > >
> > > > > With WCCPv2, the proxy actually asks the router (nicely!) to join
> > > > > the service group; so you don't have to hard-code in an IP in the
> > > > > router (unless you specifically lock it down with an ACL) and you
> > > > > can use MD5 passwords to further limit joining the service group.
> > > > > You can (assuming the proxy software supports it) run >1 proxy
> > > > > talking to >1 router. This gives you failover and load
> > > > > balancing/distribution. (Which is what I guess you want to point it
> > > > > at a name for rather than an IP address.)
> > > > >
> > > > > All in all, its a much better alternative to route-map next-hop
> > > > > forwarding. Although there's apparently a method to do a
> > > > > conditional next-hop depending on a rtr object (ICMP ping, for
> > > > > example) but the one setup I wanted to use it for (on the 3560
> > > > > switch) turned out to be documented, but then documented as a
> > > > > documentation mistake and not implemented.
> > > > >
> > > > >
> > > > >
> > > > > Adrian
> > > > >
> > > > > _______________________________________________
> > > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list