In order to use WCCP with Squid it must be built to support WCCP. Unfortunatly the default apt-get install squid(3) doesn’t support WCCP out of the box so it has to be BUILT FROM SOURCE
Assuming you’ve built Squid with WCCP support (using my guide or not) the following is how to get WCCP working between a Cisco ASA and Squid on Ubuntu.
There is a huge gotcha with the Cisco ASA, it only supports GRE and the Clients and Squid have to be in the same subnet…You can get around this by using multiple dynamic instances but for most of my audience I think this isn’t a problem. If I get requests for instructions on that perhaps I’ll look into it?
Here are the variables I’m working with:
LAN: 192.168.10.0/24
ASA LAN IP Address: 192.168.10.1
SQUID eth0 IP Address: 192.168.10.80
#1. Configure the ASA:
CLI:
access-list WCCP_SERVERS extended permit ip host 192.168.10.80 any access-list LAN_WCCP_REDIRECT extended permit tcp 192.168.10.0 255.255.255.0 any eq www wccp web-cache redirect-list LAN_WCCP_Redirect group-list wccp_servers password ***** wccp interface LAN web-cache redirect in
Most guides will tell you that you need to deny the Squid LAN IP but that’s not true, the ASA will do it automagically.
#2. Configure Squid:
Add the following to /etc/squid/squid.conf:
http_port 3129 intercept wccp2_router 192.168.10.1 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 password=*****
Reconfigure squid to use the new config:
squid -k reconfigure
Now here’s an important part that almost all guide fail to mention. The ASA will pick a Router Identifier of it’s highest addressed interface once squid tries to connect to it for WCCP. You need go get that Router Identifier from the ASA:
show wccp
For our purposes let’s say that Router Identifier is 192.168.254.1
We need to create a script that will run when eth0 comes up and create the GRE interface and permits the WCCP traffic…so let’s create the following file:
vi /etc/network/if-up.d/wccp.sh
#!/bin/bash
if [ "$IFACE" == "eth0" ]; then
modprobe ip_gre
ip tunnel add wccp0 mode gre remote 192.168.254.1 local 192.168.10.80 dev eth0
ifconfig wccp0 192.168.10.80 netmask 255.255.255.255 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3129
fi
Notice that I use the Router ID and not the LAN IP for the remote tunnel IP.
Finally, we need to tell the system to run that script with eth0 comes up. So edit the interfaces file (/etc/network/interfaces) and include the following line under iface eth0 inet:
post-up /etc/network/if-up.d/wccp.sh
You should now be able to restart networking (or just reboot the system) and it should be working.
Hello,
Maybe I am missing something and don’t quite understand but why ALL internet squid articles are ONLY mentioning port 80. What if I want to my traffic, including httpS go through squid? Currently, facebook, gmail and youtube all use https and what good does squid in this context bring to network???