Cisco WCCP Squid Transparent Proxy

This topic is to discuss the following lesson:

https://networklessons.com/cisco/ccie-routing-switching-written/cisco-wccp-squid-transparent-proxy/

Heya,

is it possible to use a HSRP pair instead of a single Cisco device? I guess it’s not possible to terminate a GRE on a HSRP VIP …

Cheers
Ben

Hi Ben,

I haven’t tried it but it seems to be possible. This is from the Cisco website:

When you configure WCCP for use with the Hot Standby Router Protocol (HSRP), you must configure the WAE with the HSRP or the Virtual Router Redundancy Protocol (VRRP) virtual router address as its default gateway, and the WAE WCCP router-list with the primary address of the routers in the HSRP group.

Rene

May you help me to create GRE Tunnel on Debian Wheezy 7.2 please.
I try several times but I can’t arrive to set it up.
I don’t see /etc/sysconfig/selinux in debian to set selinux=disabled

Hi Jam,

Only CentOS uses selinux by default, no need to worry about it in Ubuntu. Configuration of the GRE tunnel is a bit different though.

If you want to create a GRE tunnel from the command-line you can try this:

ip tunnel add wccp0 mode gre remote 192.168.1.254 local 192.168.1.253 dev eth0
ifconfig wccp0 192.168.1.253 netmask 255.255.255.255 up

If you want to make this permanent, you can create an entry in /etc/network/interfaces or put the above lines in a script that runs at startup.

Rene

This is a nice article but for the life of me I can’t see the GRE tunnel come up automatically. My setup is based on a CentOS 6.4 distro and the setup is almost exactly the same as what you have here. I may have some settings on my router config which may perhaps clash with the GRE tunnel. WCCP checks appear to be correct however.

I have used tcpdump on the wccp0 interface and doesn’t appear to be any traffic going over it.
I do have an ip nat inside command applied to my router interface and the router does have another ACL which permits the subnet any. I’ve seen other examples of this which appear to use NAT but prefer this method, just wondering how to troubleshoot this further?

Hi Andrew,

WCCP can be a pain to make it work. My plan was to spend 1-2 hours of configuring it so I could write a blogpost on it but it took me a full day to get it to work :wink:

If you doubt your router config…please boot up a router in GNS3 with just the minimum configuration required for WCCP, just pick the config that I used. IOS 15 also gives you more show commands for WCCP than 12.4. Did you also check iptables? Making sure it’s not blocking any traffic?

Rene

Hi Rene,

I have a Cisco 2921 with c2900-universalk9-mz.SPA.152-4.M5.bin, i configured wccp to redirect all web traffic through my proxy and is working fine, but now I want to redirect HTTPS through my proxy and can not do this. Can you please provide me with some examples or advice how to do this.
Thank you,

Hi Andrei,

I haven’t tried HTTPS but from what I’ve read you have to enable service 70 to make HTTPS work. Have you tried that?

Rene

Hi Rene

We have issues setting this WCCP up with vlan’s on a CISCO887VA with Adv IP services IOS and a GNU/Linux machine with squid, is our config correct when applying the ip wccp cmd’s to the vlan ?

interface Vlan10
 description finance
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
interface Vlan20
 description warehouse
 ip address 192.168.20.1 255.255.255.0
 ip wccp web-cache redirect in
 ip nat inside
 no ip virtual-reassembly in
!
interface Vlan30
 description office
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in


access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.20.0 0.0.0.255
access-list 10 permit 192.168.30.0 0.0.0.255
access-list 80 permit 192.168.0.203
access-list 120 remark ACL for WCCP proxy access
access-list 120 remark Squid proxies bypass WCCP
access-list 120 deny   ip host 192.168.0.203 any
access-list 120 remark LAN clients proxy port 80 only
access-list 120 permit tcp 192.168.20.0 0.0.0.255 any eq www
access-list 120 remark all others bypass WCCP
access-list 120 deny   ip any any

Our tunnel is up but we cannot ping the other side of the tunnel …

Our show interface output :

VDSL4#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Interface is unnumbered. Using address of Vlan20 (192.168.20.1)
  MTU 17912 bytes, BW 10000 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 192.168.30.1 
  Tunnel protocol/transport multi-GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1472 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:13:40
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)

What is the difference between the ip of “tunnel source” and “Interface is unnumbered” ip address ? How to modify these ip’s?

We got to ping between the two hosts. What are we doing wrong? Is it necessary to apply a route?

Our show ip wccp cmd output :

VDSL4#show ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   192.168.30.1

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            821
          Process:                           0
          CEF:                               821
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                120
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
        GRE tunnel interface:                Tunnel0
VDSL4#show ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:          192.168.0.203
        Protocol Version:        2.00
        State:                   Usable
        Redirection:             GRE
        Packet Return:           GRE
        Assignment:              HASH
        Connect Time:            00:32:09
        Redirected Packets:
          Process:               0
          CEF:                   929
        GRE Bypassed Packets:
          Process:               0
          CEF:                   0
        Hash Allotment:          256 of 256 (100.00%)
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

It is quite confusing to get this work …

What do you suggest we should try to troubleshgoot ?

Thanks in advance for your time !

BR
Tim Teenstra

Hi Tim,

WCCP is pretty confusing, this tutorial took me about 6 hours from start to finish. I had a lot of troubleshooting to do before this worked…

Your config looks OK and you can see the router is redirecting traffic:

Redirected Packets:
Process: 0
CEF: 929

You don’t have to worry about tunnel source and ip unnumbered for the WCCP configuration. When you configure a “normal” GRE tunnel between two routers you have to specify the source + destination of the tunnel yourself, now we don’t have to because WCCP does this for us.

Ip unnumbered is about the IP address on the tunnel itself, here’s an example if you are interested:

The Cisco side looks OK…what about squid? are you 100% sure it is operational?

Rene

Thanks for the advise Rene.

We will look into the squid config then.

Tim

hi ,
i don’t think its valid for ccie v5

Hi Husam,

That’s right, If it was on the list I’ll remove it…it’s not in V5 anymore.

Rene

how would you also enable proxy for https?

and if Linux hosts have multiple interfaces/routes, do I need to manipulate them? (to point to proxy facing subnet?)

Hmm good question. I doubt changing the port from 80 to 443 will be enough for this. HTTPS traffic is encrypted so I think some additional config on the squid server is required.

If your hosts have multiple interfaces then you need to make sure they use the router that is configured for WCCP is used as their default gateway yes.

Proxy is working for http proxy as you see below.

s#show adjacency tunnel 0 detail 
Protocol Interface Address
IP Tunnel0 10.4.1.12(3)
connectionid 1
16 packets, 1376 bytes
epoch 0
sourced in sev-epoch 35
Encap length 28
4500000000000000FF2F0545AC1BFF5E
0A04010C0000883E00000000
Tun endpt
Next chain element:
IP adj out of GigabitEthernet0/2.10, addr 10.4.1.12

Guides say I need to create CA and do all that SSL proxying. But I don’t need to decrypt or intercept. Can I somehow put 443 behind 80?

Because HTTPS uses certificates and a secure connection you can’t just forward traffic to TCP 443 (HTTPS) to squid like we do with HTTP traffic.

When a user requests a HTTPS website, it will be forwarded by WCCP to squid. The squid server will then create a secure connection with the client and you will need a certificate on the squid server for this. This certificate also has to be installed on your user computer otherwise they’ll get a warning from their browser that the certificate is untrusted.

Squid will then connect to the HTTPS website and fetch whatever the user has requested and then forwards it to the user. Basically the squid server is a “man in the middle” with this setup.

Right.
Because corporations have proxy behind 80 or 8080 and not a special one for https/443.
And IT still directs us to dump all https/443 traffic behind 80 proxy without the use of custom 3rd party cert.

I wonder how they do that. Any idea?
So I guess I want squid to act like a L3 router for https/443 traffic?

Thanks!