[c-nsp] Forwarding http traffic to web filtering service

Aman Chugh aman.chugh at gmail.com
Thu Jun 21 00:36:31 EDT 2007


Yes , It would be slow if the proxy is in US and clients in India, I can use
a local box . What would be my otpions for a local apart from squid. Also
will this topology work if I have PBR and two ISP on my router. I have
differrent vlans route through differrent ISP'S using PBR. Will I be able to
use the my local proxy with WCCP for traffic coming from all vlans and then
route it through the respective ISP using PBR.

ISP 1     ISP 2
  |              |
Cisco IOS FIREWALL ----- WCCP
           |
       Switch (VLANS )

Thanks for the help.

Aman

On 6/21/07, Rolf Mendelsohn <rolf-web at cyberops.biz> wrote:
>
> Hi Guys,
>
> I strongly suspect that from a Topology perspective the following would be
> best / simplest.
>
>
> OUTSIDE(S)
>        |
>   Cisco------WCCP_Box
>        |
> INSIDE(S)
>
> I would say put it on a seperate ethernet, or Vlan. Then u can ACL it for
> security, inside/outide packets work that way, easier to troubleshoot etc.
> etc.
>
> Lastly bear in mind that if u offer 'Dedicated' or CIR bandwidth & shared
> Bandwidth, then the CIR or Gold, so be denied (via ACL) from being cached.
> Otherwise it falls into the same 'pool' as the rest.
>
> Also watch out, there are always 1-10 funny/very strange applications,
> which
> *can* brake in strange ways, So let your customers know that you are using
> a
> transparent proxy & if u come across an HTTP related problem, which is
> unexplainable, try and deny those addresses from being proxied.
>
> Also try and deny Prefixes, which are local, i.e. only use the proxy on
> your 'expensive' international traffic interface(s)
>
> HTH
> /rolf
>
> On Wednesday 20 June 2007 21:37:13 Bill Nash wrote:
> > Take a look at this:
> >
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-80c70feffdac511
> >69ae17379761ad9e32e5025ed
> >
> > - billn
> >
> > On Wed, 20 Jun 2007, Brian wrote:
> > > How does the WCCP redirect work on the ASA?  I want to forward all
> http
> > > traffic to a specific IP address on the Internet and also forward that
> > > traffic to port 3128.  I don't see a command to point to an IP address
> > > under wccp.
> > >
> > > On 6/20/07, Brian <bms314 at gmail.com> wrote:
> > > > Thanks for all the replies.  I will try to enable WCCP on our ASA
> later
> > > > today.  Does anyone have a working config for this in production?
> > > >
> > > > On 6/20/07, Bill Nash <billn at billn.net> wrote:
> > > > > If your device doesn't support WCCP, you can emulate this with a
> NAT
> > > > > directive in your ASA. I don't know the specific syntax offhand
> (I've
> > > > > no PIX's in my network, but the iptables equivalant is:
> > > > > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT
> --to
> > > > > 192.168.100.1:3128
> > > > >
> > > > > I don't think your route-map option will work, incidentally,
> unless
> > > > > you're
> > > > > changing the next-hop to the inside interface of a NAT layer that
> > > > > implements what I describe above.
> > > > >
> > > > > - billn
> > > > >
> > > > > On Wed, 20 Jun 2007, Adrian Chadd wrote:
> > > > > > On Wed, Jun 20, 2007, Brian wrote:
> > > > > > > We're trying to forward all http traffic to a web filtering
> > > > > > > service
> > > > >
> > > > > on the
> > > > >
> > > > > > > Internet.  They require the http traffic forwarded to a name
> and
> > > > >
> > > > > then
> > > > >
> > > > > > > forwarded to port 3128.  I was thinking of creating a
> route-map
> > > > > > > and
> > > > >
> > > > > setting
> > > > >
> > > > > > > the next-hop to be the IP address.  How can I also forward
> this
> > > > >
> > > > > traffic to a
> > > > >
> > > > > > > specific port from my router (or my ASA) so it acts somewhat
> like
> > > > > > > a
> > > > >
> > > > > proxy?
> > > > >
> > > > > > > Also, is there a way to point to the name rather than an IP
> > > > > > > address?
> > > > > >
> > > > > > Look at WCCPv2 support. Almost all cisco routers these days
> support
> > > > > > it in some form or other. (My 827 here at home, for example,
> > > > > > doesn't. :) I believe later ASA (7.x?) supports WCCPv2.
> > > > > >
> > > > > > Many web proxies have WCCP/WCCPv2 support. I can help you with
> > > > > > Squid,
> > > > >
> > > > > if
> > > > >
> > > > > > thats what it is on port 3128, or you can talk to your vendor.
> > > > > >
> > > > > > With WCCPv2, the proxy actually asks the router (nicely!) to
> join
> > > > > > the service group; so you don't have to hard-code in an IP in
> the
> > > > > > router (unless you specifically lock it down with an ACL) and
> you
> > > > > > can use MD5 passwords to further limit joining the service
> group.
> > > > > > You can (assuming the proxy software supports it) run >1 proxy
> > > > > > talking to >1 router. This gives you failover and load
> > > > > > balancing/distribution. (Which is what I guess you want to point
> it
> > > > > > at a name for rather than an IP address.)
> > > > > >
> > > > > > All in all, its a much better alternative to route-map next-hop
> > > > > > forwarding. Although there's apparently a method to do a
> > > > > > conditional next-hop depending on a rtr object (ICMP ping, for
> > > > > > example) but the one setup I wanted to use it for (on the 3560
> > > > > > switch) turned out to be documented, but then documented as a
> > > > > > documentation mistake and not implemented.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Adrian
> > > > > >
> > > > > > _______________________________________________
> > > > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list