Transparent proxying or how to make friends with Cisco and Squid
By the nature of their activities, you often heard from the happy owners of Cisco ASA in the basic package (without additional expensive modules like CSC-SSM), in principle, like other SOHO \ SMB routers of this manufacturer, criticizing the rather weak URL filtering capabilities, proxying and other goodies that even the simplest server server can do.
However, there is a way out of this situation and it is quite simple. In this article, I will show you an example of how a Cisco ASA5510 + Squid bundle works, which does an excellent job with the tasks.
We assume that we have a fully configured ASA, which is a router to the world and a simple Linux server (in my case CentOS 5.6) with a freshly installed Squid. Squid must work in invisible proxying mode.
')
All this economy is connected by means of the WCCP protocol. Without going deep, I’ll say in a nutshell that this is a content redirection and web caching protocol developed by Cisco. WCCP runs on IOS firmware versions 12.1 and higher and has two versions of this simple protocol: WCCPv1 and WCCPv2. We will redirect all traffic sent to the world to port 80, using the second version of the protocol as a more advanced one.
So, let's begin.
The ASA will have an address of 192.168.1.254, Linux — 192.168.1.253.
First, create the objects that our ACL lists will later be distributed to.
We will have them 2.
You ask why 2?
I will answer - we do not want the admin complex to go through a proxy).
Relevant ACLs:
And we activate WCCP itself:
Explanations:
1. We specify the password in order to use MD5 authentication between cisco and squid
2. Be sure to specify the interface (inside) that will listen to WCCP.
This completes the ASA configuration.
Go to Squid. There is not much more difficult.
Change the mode of the squid to transparent:
Further we specify the address of our ASA:
And the necessary settings bundles:
Explanations:
1. wccp2_forwarding_method 1 means using a GRE tunnel to forward packets between a router and a squid. Cisco routers use this method, while L2 switches use wccp2_forwarding_method 2 - L2 Redirect.
2. wccp2_return_method 1 - almost the same, only this is the method of returning packets to the router, if the squid suddenly decides not to process them.
3. We use a non-dynamic web cache (standard 0) with the previously specified password on the ASA
That's it, the Squid configuration is over. We proceed to the second stage - file completion.
As mentioned earlier, you need to raise the GRE tunnel between our links, through which web-cache traffic will run:
And we will surely wrap up all traffic coming through the GRE tunnel to the port of the squid using Iptables:
That's basically it. It remains only to save configs, create if-up and if-down scripts for our wccp0 interface and restart Squid.
We check the work:
Everything is in order, everything works.
And now you can bring marafet: screw SquidGuard for more fine filtering, SARG for displaying beautiful statistics to the boss, etc. who likes what. But this is another story. If interest is shown, I can describe these processes.
Thank you for your attention, I will try to answer all questions.
However, there is a way out of this situation and it is quite simple. In this article, I will show you an example of how a Cisco ASA5510 + Squid bundle works, which does an excellent job with the tasks.
We assume that we have a fully configured ASA, which is a router to the world and a simple Linux server (in my case CentOS 5.6) with a freshly installed Squid. Squid must work in invisible proxying mode.
')
All this economy is connected by means of the WCCP protocol. Without going deep, I’ll say in a nutshell that this is a content redirection and web caching protocol developed by Cisco. WCCP runs on IOS firmware versions 12.1 and higher and has two versions of this simple protocol: WCCPv1 and WCCPv2. We will redirect all traffic sent to the world to port 80, using the second version of the protocol as a more advanced one.
So, let's begin.
The ASA will have an address of 192.168.1.254, Linux — 192.168.1.253.
First, create the objects that our ACL lists will later be distributed to.
We will have them 2.
You ask why 2?
I will answer - we do not want the admin complex to go through a proxy).
object network admin_pc host 192.168.1.10 object network local_net subnet 192.168.1.0 255.255.255.0 Relevant ACLs:
access-list redirect_to_squid extended deny tcp object admin_pc any eq www access-list redirect_to_squid extended permit tcp object local_net any eq www And we activate WCCP itself:
wccp web-cache redirect-list redirect_to_squid password cisco wccp interface inside web-cache redirect in Explanations:
1. We specify the password in order to use MD5 authentication between cisco and squid
2. Be sure to specify the interface (inside) that will listen to WCCP.
This completes the ASA configuration.
Go to Squid. There is not much more difficult.
Change the mode of the squid to transparent:
http_port 3128 transparent Further we specify the address of our ASA:
wccp2_router 192.168.1.254 And the necessary settings bundles:
wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 password=cisco Explanations:
1. wccp2_forwarding_method 1 means using a GRE tunnel to forward packets between a router and a squid. Cisco routers use this method, while L2 switches use wccp2_forwarding_method 2 - L2 Redirect.
2. wccp2_return_method 1 - almost the same, only this is the method of returning packets to the router, if the squid suddenly decides not to process them.
3. We use a non-dynamic web cache (standard 0) with the previously specified password on the ASA
That's it, the Squid configuration is over. We proceed to the second stage - file completion.
As mentioned earlier, you need to raise the GRE tunnel between our links, through which web-cache traffic will run:
modprobe ip_gre iptunnel add wccp0 mode gre remote 192.168.1.254 local 192.168.1.253 dev eth0 ifconfig wccp0 192.168.1.253 netmask 255.255.255.255 up And we will surely wrap up all traffic coming through the GRE tunnel to the port of the squid using Iptables:
-A PREROUTING -p tcp -m tcp -i wccp0 -j REDIRECT --to-ports 3128 That's basically it. It remains only to save configs, create if-up and if-down scripts for our wccp0 interface and restart Squid.
We check the work:
asa#sh ip wccp Global WCCP information: Router information: Router Identifier: 192.168.1.254 Protocol Version: 2.0 Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected: 464271 Service mode: Open Service access-list: -none- Total Packets Dropped Closed: 0 Redirect access-list: redirect_to_squid Total Packets Denied Redirect: 15217 Total Packets Unassigned: 1006 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 asa#sh ip wccp web-cache detail WCCP Client information: WCCP Client ID: 192.168.1.253 Protocol Version: 2.0 State: Usable Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 256 (100.00%) Packets s/w Redirected: 44549 Connect Time: 1h07m Bypassed Packets Process: 0 Fast: 0 CEF: 0 Errors: 0 Everything is in order, everything works.
And now you can bring marafet: screw SquidGuard for more fine filtering, SARG for displaying beautiful statistics to the boss, etc. who likes what. But this is another story. If interest is shown, I can describe these processes.
Thank you for your attention, I will try to answer all questions.
Source: https://habr.com/ru/post/150221/
All Articles