# Cannot use Cisco ASA 5505 wccp + squid



## igorino (Feb 4, 2015)

Dear all,
I am trying to configure www/squid, version 3.4, on a FreeBSD 10.1-RELEASE to communicate through wccp on a Cisco ASA 5505 router.
The FreeBSD squid server ip is: 172.17.0.61
The cisco ASA have three interfaces (loc: 172.17.0.0/16, DMZ 192.168.0.0/24, net: 123.123.123.0/26(fictional)
Until now, what have I configured:
/etc/rc.conf

```
...
ifconfig_re0="inet 172.17.0.61 netmask 255.255.0.0"
defaultrouter="172.17.0.254"
cloned_interfaces="gre0"
ifconfig_gre0="1.1.1.1 1.1.1.2 netmask 255.255.255.252 link2 tunnel 172.17.0.61 172.17.0.254 up"
squid_enable="YES"
firewall_enable="YES"
firewall_type="open"
firewall_script="/usr/local/etc/ipfw.rules"
```

/boot/loader.conf

```
dummynet_load="YES"
if_gre_load="YES"
```

/etc/sysctl.conf

```
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
```

/usr/local/etc/ipfw.rules

```
#!/bin/sh
/sbin/ipfw -f flush
/sbin/ipfw add 60000 allow ip from any to any
/sbin/ipfw add 10 fwd 127.0.0.1,3129 tcp from any to any 80 recv gre0
```

/usr/local/etc/squid/squid.conf

```
http_port 3129 intercept
wccp2_router 172.17.0.254
wccp2_assignment_method hash
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
wccp_version 4
forwarded_for on
...
```

I had enabled the wccp in the ASA with the following commands:
`asa(config)# access-list wccp-traffic extended permit tcp 172.17.0.0 255.255.0.0 any eq www
asa(config)# access-list wccp-servers extended permit ip host 172.17.0.61 any
asa(config)# wccp web-cache redirect-list wccp-traffic group-list wccp-servers
asa(config)# wccp interface loc web-cache redirect in`

But, no matter what, this is what I get:
`asa# show wccp web-cache view`

```
WCCP Routers Informed of:
-none-
WCCP Cache Engines Visible:
-none-
WCCP Cache Engines NOT Visible:
-none-
```
And in the FreeBSD box:
`# ipfw show`

```
00010  0  0 fwd 127.0.0.1,3129 tcp from any to any dst-port 80 recv gre0
```

I know the following two limitations that Cisco warns about (https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration)
"1) The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance."
The server 172.17.0.61 its in the same vlan of clients (I had tried to put it in some port of the clients switch and in another port, in the same vlan in the ASA, still no go).

"2)Router ID is chosen as the highest IP address configured on the ASA.  If that happens to the DMZ interface or the outside interface IP address, then the WCCP server has to have a route to get to that Router-ID address pointing to the ASA's interface."
Since I do not receive any address from `show wccp web-cache view` I had enabled all traffic from the net interface to 172.17.0.61 in the loc interface, then tried all pingable ip address from the net interface in the above configurations, getting the same results.

Does anybody have some tip to what I have to do to make the coordination work?


----------



## TurboCache (Sep 26, 2016)

I had to use the IP Tunnel command to get Squid Transparent WCCP working with Cisco Firewalls when the Cisco WCCP Router ID is not the inside network IP address.  Router ID is determined by the highest IP address. If you use a 10.X.X.X address on your inside network and 172.X.X.X on the DMZ or 38.X.X.X on the External WAN then your Router ID will be 172.X.X.X requiring the IP Tunnel command showing below.

Cisco command = "show wccp" to display the WCCP Router ID

Cisco 5520 Firewall is IP 10.1.1.1

Squid Server is IP 10.1.1.50

Cisco Firewall DMZ (Router ID) is IP 172.16.30.1 
===========================================================
Squid.Conf
wccp2_router 10.1.1.1
wccp_version 4
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

Linux Server:

iptables -t nat -F PREROUTING (Clears out IPTABLES)
iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.1.50:3128
ip tunnel add wccp0 mode gre remote 172.16.30.1 local 10.1.1.50 dev enp0s3
ip addr add 10.1.1.50/32 dev wccp0
ip link set wccp0 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter

regards,

Damian


----------

