Тема: CiscoASA + WCCP + Squid
Добрый день.
Такая конфигурация
Cisco ASA - локальный интерфейс 172.17.0.253
- интерфейс сквида 172.29.0.254
Squid - 172.29.0.100
Сеть которую необходимо завернуть на скид 172.17/16
Cisco ASA
Группа для редиректа
object network admin_pc
host 172.17.4.34
Включение WCCP
access-list redirect_to_squid extended permit tcp object admin_pc any eq www
access-list redirect_to_squid extended deny tcp any any
wccp interface inside web-cache redirect in
Проверяю настройки
sh wccp web-cache detail
WCCP Cache-Engine information:
Web Cache ID: 172.29.0.100
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets Redirected: 15533
Connect Time: 00:02:11
FreeBSD
squid
Squid собран с поддержкой WCCP2
http_port 127.0.0.1:3128 transparent
wccp2_router 172.29.0.254
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
pf
=====================================================================================
rdr on gre0 inet proto tcp from 172.17.0.0/16 to any port http -> 127.0.0.1 port 3128
rdr on vr0 inet proto tcp from 172.17.0.0/16 to any port 3128 -> 127.0.0.1 port 3128
=====================================================================================
GRE тоннель
ifconfig gre0 plumb
ifconfig gre0 link2
ifconfig gre0 tunnel 172.29.0.100 ext_addr
ifconfig gre0 inet 1.1.1.1 1.1.1.2
Слушаю tcpdump-ом GRE-интерфейс
11:45:44.442794 IP 172.17.4.34.4279 > 213.180.193.3.80: Flags [S], seq 3229667123, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:44.444354 IP 172.17.4.34.4280 > 213.180.193.215.80: Flags [S], seq 3587820200, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:44.444490 IP 172.17.4.34.4281 > 213.180.193.215.80: Flags [S], seq 1280259888, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:44.692660 IP 172.17.4.34.4282 > 213.180.193.3.80: Flags [S], seq 3745007956, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:47.410771 IP 172.17.4.34.4279 > 213.180.193.3.80: Flags [S], seq 3229667123, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:47.413574 IP 172.17.4.34.4280 > 213.180.193.215.80: Flags [S], seq 3587820200, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:47.413614 IP 172.17.4.34.4281 > 213.180.193.215.80: Flags [S], seq 1280259888, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:47.611931 IP 172.17.4.34.4282 > 213.180.193.3.80: Flags [S], seq 3745007956, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:53.345569 IP 172.17.4.34.4279 > 213.180.193.3.80: Flags [S], seq 3229667123, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:53.346091 IP 172.17.4.34.4280 > 213.180.193.215.80: Flags [S], seq 3587820200, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:53.346134 IP 172.17.4.34.4281 > 213.180.193.215.80: Flags [S], seq 1280259888, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:45:53.546284 IP 172.17.4.34.4282 > 213.180.193.3.80: Flags [S], seq 3745007956, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:46:05.415388 IP 172.17.4.34.4283 > 213.180.204.215.80: Flags [S], seq 2579804931, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:46:05.415585 IP 172.17.4.34.4284 > 213.180.204.3.80: Flags [S], seq 101113153, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:46:05.416136 IP 172.17.4.34.4285 > 213.180.204.215.80: Flags [S], seq 1071789508, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:46:05.616410 IP 172.17.4.34.4286 > 213.180.204.3.80: Flags [S], seq 1435322275, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:46:08.432527 IP 172.17.4.34.4284 > 213.180.204.3.80: Flags [S], seq 101113153, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:46:08.436974 IP 172.17.4.34.4283 > 213.180.204.215.80: Flags [S], seq 2579804931, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
11:46:08.437019 IP 172.17.4.34.4285 > 213.180.204.215.80: Flags [S], seq 1071789508, win 65535, options [mss 1460,
В логах сквида ничего нет.
Пакет просто маршрутизируется. Так как на локально интерфейсе появляются ответы:
11:47:59.353257 IP 87.250.251.3.80 > 172.17.4.34.4299: Flags [S.], seq 3257317731, ack 1212102726, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1819473009 ecr 0], length 0
11:47:59.375150 IP 93.158.134.3.80 > 172.17.4.34.4304: Flags [S.], seq 734911970, ack 4192436358, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4133685685 ecr 0], length 0
11:47:59.561256 IP 87.250.251.3.80 > 172.17.4.34.4300: Flags [S.], seq 2587886689, ack 1188656659, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2954638814 ecr 0], length 0
11:47:59.576317 IP 93.158.134.3.80 > 172.17.4.34.4305: Flags [S.], seq 4083732450, ack 360806855, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 499931992 ecr 0], length 0
11:48:00.564256 IP 87.240.134.229.80 > 172.17.4.34.4306: Flags [S.], seq 2522108384, ack 3038044926, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2930346893 ecr 0], length 0
11:48:00.921277 IP 172.29.0.100.2048 > 172.29.0.254.2048: UDP, length 144
11:48:00.921585 IP 172.29.0.254.2048 > 172.29.0.100.2048: UDP, length 140
11:48:01.588774 IP 87.240.134.133.80 > 172.17.4.34.4307: Flags [S.], seq 951418336, ack 2648157057, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 472270908 ecr 0], length 0
11:48:02.374256 IP 93.158.134.3.80 > 172.17.4.34.4304: Flags [S.], seq 734911970, ack 4192436358, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4133685685 ecr 0], length 0
11:48:02.576255 IP 93.158.134.3.80 > 172.17.4.34.4305: Flags [S.], seq 4083732450, ack 360806855, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 499931992 ecr 0], length 0
11:48:03.588259 IP 87.240.134.133.80 > 172.17.4.34.4301: Flags [S.], seq 3909362401, ack 2600333103, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3903425791 ecr 0], length 0
11:48:03.607433 IP 87.240.134.229.80 > 172.17.4.34.4306: Flags [S.], seq 2522108384, ack 3038044926, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2930346893 ecr 0], length 0
11:48:04.197157
11:48:04.588257 IP 87.240.134.133.80 > 172.17.4.34.4307: Flags [S.], seq 951418336, ack 2648157057, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 472270908 ecr 0], length 0
11:48:04.605455 IP 87.240.134.133.80 > 172.17.4.34.4307: Flags [S.], seq 951418336, ack 2648157057, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 472270908 ecr 0], length 0
Если я в браузере прописываю хост со сквидом как прокси, то редирект срабатывает и инет появляется...
У меня вопрос - Почему не работает редирект на GRE интерфесе?
Все работает кроме редиректа (((
Причем я пробовал использовать IPFW. Таже картина.
Посталил линкс. Тоже самое с IPTABLES (((