WCCP on Cisco ASA with squid

March 15, 2013 — 2 Comments

The Web Cache Communication Protocol (WCCP) is a Cisco developed routing-protocol to maintain a transparent redirection of designate(or certain?) outbound traffics at the inbound Interface.

One or more Cache Proxy Server keep local copies of often “web” requested resources and answer the local request in real time that help in increasing your downstream bandwidth usage. The access and the download time of the web content will be improved significantly, you can also use the Cache proxy server as Web-Proxy-Server to control the internet traffic .

wccp

For a professional usage of WCCP you can use a security appliance like Sophos(Astaro) or BlueCoat ProxySG but you can also use a software based proxy server, I decided to use squid on a CentOS 64 Bit Linux machine, squid is most popular Linux proxy server for caching and filtering of websites, I know of some ISPs which are using squid and they are pretty pleased with it .

The Topology:

Before you begin you have to know that the Caching Proxy Server have to be in the same Interface  to the Clients , it is the only topology which ASA supported the WCCP , for example  you cannot run the Proxy Server in the management Network to use it for web redirection in the production Network . Many of problems regarding the WCCP located here, end of Configuration you realize that it does not work and believe me it is very disappointed.

WCCP Configuration on ASA

We begin with the configure the WCCP on the ASA , the configuration of a Cisco Router or a Layer 3 Switch is very similar to the ASA .

First of all you have to create two ACLs , with the first ACL you tell the ASA who and where is (are) the Caching Porxy Sever, I name this ACL “wccp-server” :

1
access-list wccp-server extended permit ip host 172.16.1.100 any

With the other ACL you declare the clients and the traffic which should be intercepted. But off course you have to remove the proxy server from the client ACL:

1
2
3
access-list wccp-traffic line 1 extended deny ip host 172.16.8.100 any 
 
access-list wccp-traffic line 2 extended permit tcp ip 172.16.1.0 255.255.255.0 any eq www

Ok then we configure the WCCP protocol on the ASA and apply it to the interface, in this case the production interface :

1
2
wccp web-cache redirect-list wccp-traffic group-list wccp-server
wccp interface production web-cache redirect in

you can always control and debugging you configuration by using :
show wccp

show wccp
 
Global WCCP information:
Router information:
Router Identifier: 172.16.1.254.254
Protocol Version: 2.0
 
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 459
Redirect access-list: wccp-traffic
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: wccp-server
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

and
so Far so good , let’s go to run squid on the CentOS:

squid Installation

As I said I install the squid on CentOS 64Bit version6 but it works on all Debian System like Ubuntu too.

To install the squid please use the command :

1
  yum install squid

NOTIC :

I figured out that Linux Firewall (iptables) and Linux Security System (LINUXSE) block some client request and cause some unnecessary problems,  my Server is behind the ASA and there is no NAT to bypass the ASA to reach the Server from Outside so I turn off the iptables LINUXSE:

1
2
3
 service iptables stop
 
 chkconfig iptables off

to  switch off the LINUXSE you have to open and change the LINUXSE config:

1
 nano or vi /etc/selinux/config

replace the line from

1
 SELINUX=enforcing

To

1
SELINUX=disabled

save , done .

Squid Configuration
Now we configure the squid for the wccp , squid supports wccp version 2 and you have to tell him  the IP address of the WCCP Router or in our case the ASA .

So open the squid.config :

1
  nano /etc/squid/squid.conf

And add follow line into :

1
2
3
4
5
6
7
  wccp2_router 172.16.1.254 ( the IP address of ASA ) 
 
 wccp_version 4
 
 wccp2_forwarding_method 1
 
 wccp2_return_method 1

to use the transparent redirection add

1
 http_port 3128 intercept

to the squid.conf and save and exit

Now start the squid on the CentOS und make sure that this service will be run after restart the Server :

1
2
3
  service squid start
 
 chkconfig squid on

Actually  the Configuration is ready to use , from now the ASA sends all web-request from the Network 192.168.1.0/24 to the squid he started to download the website and forwards it to the client, the proxy Server will also cashing the web contents for the next client request .

You can use the squid logs to see and control the configuration:

1
 cat /var/log/squid/access.log

Now I would like to set up the URL-Filtering on squid

URL-Filtering

It is much easier to configure the URL Filtering on squid if you behave as you do that as a Cisco IOS ,

To define the pool of URLs we usualy use an ACL in IOS , the same concept we will use for the squid , only rather than an ACL we create file in there we determine the website which should be blocked.

So I create a file name blacklist.squid :

1
  touch /etc/squid/blacklist.squid

open the blacklist.squid and add the URLs which you mean they should be blocked:

1
2
3
4
5
6
  nano /etc/squid/blacklist.squid
 
#blocked sites
 www.rapidshare.com
 www.cisco.com
 www.site-x.com

and so on

Now open the squid configuration file :

1
/etc/squid/squid.conf

Here you have to assign the ACL blacklist to the squid Configuration

1
2
3
4
5
6
7
8
9
10
11
 # ACL BLACKLIST
 
 acl blacklist dstdomain "/etc/squid/blacklist.squid" 
 
then you have to tell the squid that the members of this ACL(file) should be blocked :
 
# Deny access to BLACKLIST ACL
 
 http_access deny blacklist
 
save and restart the squid service  :

service squid restart

After restart the squid you can test it , go to a client and try to go to a blocked website, you should not able to access the webside , on your browser you should see the follow site from squid:

Here I try to go to cisco.com

1

Again you can see the blocked site in the squid logs:

1
 1363337545.415      0 172.16.1.11 TCP_DENIED/403 4174 GET http://www.cisco.com/ - NONE/- text/html

URL-Keywords Filtering

To set up the URL-Keywords Filtering we use the same process like the URL-Filtering :

Create a file (ACL) name keywords.squid ( you can use what you want)

1
 touch /etc/squid/keywords.squid

as in the blacklist  open the keywords.squid and add the keywords which should be blocked .

Here are some regular expressions (regex) what I am choosing to block:

1
2
3
4
5
6
7
  nano /etc/squid/keywords.squid
#blocked keywords
 jobs
 face
 porn
 share
 download

save and exit

Open the squid configuration file:

1
 nano /etc/squid/squid.conf

Assign the ACL “keywords” to the squid.conf:

1
2
3
  # ACL keywords
 
 acl blockkeywords url_regex -i "/etc/squid/keywords.squid"

Add a new “http_access deny” and  bind it to the ACL “keyword”:

1
2
# Deny access to keywords ACL
 http_access deny keywords

save and restart the squid service again
service squid restart

Unbenannt

Notice :

The URL-Keywords-Filtering is not the same as the Web-Content-Filtering,

URL-Keywords-Filtering means that the inspector like compares the URL strings with his pool of regex , if there is some “match” with the URL-Strings; the website would be blocked .

The Web-Content-Filtering however checks the content of a website and compare it with a keyword’s database , of course is the Web-Content Filtering much more effective method to prevent web access to undesired sites but it sneed a high number of CPU and Memory usage so I would recommend to use a high performance NGF for Content Filtering  , my favorite are here the Palo Alto NGF and the Cisco Ironport .

However the squid doesn’t support the Web-Content-Filtering anyway.

As I said you can see all Web request by using:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
  cat /var/log/squid/access.log
 1363333176.464    586 172.16.1.11 TCP_MISS/200 1122 GET http://seg.sharethis.com/getSegment.php? - DIRECT/184.73.184.231 text/html
 1363333176.468    590 172.16.1.11 TCP_MISS/204 253 GET http://l.sharethis.com/pview? - DIRECT/23.23.199.213 - 
 1363333176.727    141 172.16.1.11 TCP_MISS/204 391 GET http://b.scorecardresearch.com/b? - DIRECT/62.154.232.11 - 
 1363337545.411    526 172.16.1.11 TCP_MISS/301 648 GET http://cisco.com/ - DIRECT/72.163.4.161 text/html
 1363337545.415      0 172.16.1.11 TCP_DENIED/403 4174 GET http://www.cisco.com/ - NONE/- text/html
 1363337546.990   1558 172.16.1.11 TCP_MISS/304 378 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/198.186.193.234 - 
 1363337547.007      0 172.16.1.11 TCP_DENIED/403 4171 GET http://www.cisco.com/favicon.ico - NONE/- text/html
 1363337636.251    154 172.16.1.11 TCP_MISS/200 542 GET http://www.google-analytics.com/__utm.gif? - DIRECT/173.194.35.162 image/gif
 1363337636.276   2072 172.16.1.11 TCP_MISS/200 17788 GET http://www.freenet.com/ - DIRECT/216.214.162.173 text/html
 1363337636.389    238 172.16.1.11 TCP_MISS/304 294 GET http://www.freenet.com/wp-includes/js/l10n.js? - DIRECT/216.214.162.173 - 
 1363337636.389    237 172.16.1.11 TCP_MISS/304 296 GET http://www.freenet.com/wp-includes/js/jquery/jquery.js? - DIRECT/216.214.162.173 - 
 1363337636.393    240 172.16.1.11 TCP_MISS/304 295 GET http://www.freenet.com/wp-includes/js/jquery/jquery.form.js? - DIRECT/216.214.162.173 - 
 1363337636.396    243 172.16.1.11 TCP_MISS/304 295 GET http://www.freenet.com/wp-content/plugins/post-from-site/jquery.MultiFile.pack.js? - DIRECT/216.214.162.173 - 
 1363337636.397    244 172.16.1.11 TCP_MISS/304 294 GET http://www.freenet.com/wp-content/plugins/post-from-site/pfs-script.js? - DIRECT/216.214.162.173  
 1363337636.638    487 172.16.1.11 TCP_MISS/200 2648 GET http://www.freenet.com/wp-content/plugins/post-from-site/pfs-style.php? - DIRECT/216.214.162.173 text/css
 1363337637.098    158 172.16.1.11 TCP_MISS/200 2352 POST http://ocsp.verisign.com/ - DIRECT/199.7.55.72 application/ocsp-response
 1363337637.556    153 172.16.1.11 TCP_MISS/200 445 GET http://wd-edge.sharethis.com/button/checkOAuth.esi - DIRECT/217.89.105.144 text/javascript
 1363337637.724    321 172.16.1.11 TCP_MISS/204 253 GET http://l.sharethis.com/pview? - DIRECT/75.101.129.225 - 
 1363337638.246    845 172.16.1.11 TCP_MISS/200 937 GET http://seg.sharethis.com/getSegment.php? - DIRECT/184.73.185.66 text/html
 1363337638.451    162 172.16.1.11 TCP_MISS/204 391 GET http://b.scorecardresearch.com/b? - DIRECT/62.154.232.8 - 
 1363337671.653     71 172.16.1.11 TCP_MISS/200 2310 POST http://ocsp.verisign.com/ - DIRECT/199.7.55.72 application/ocsp-response
 1363337718.524      0 172.16.1.11 TCP_DENIED/403 3845 GET http://porntube.com/ - NONE/- text/html
 1363337718.567      0 172.16.1.11 TCP_DENIED/403 3878 GET http://porntube.com/favicon.ico - NONE/- text/html
 1363337718.609      0 172.16.1.11 TCP_DENIED/403 3878 GET http://porntube.com/favicon.ico - NONE/- text/html

I just tried to send all squid’s logs to a internal Logserver but I think if you have more as 10 clients it makes no sense because your Logserver will be flooding in a short time .

At the End you have to check the CPU and Memory on squid server periodically , if you have a lot of request and high loads sho should run the squid a dedicated powerful server .

Take Care

 

2 responses to WCCP on Cisco ASA with squid

  1. Hi, this tutorial is amazing and help-me in my project! But, this command when I apply in GNS:

    access-list wccp-traffic line 2 extended permit tcp ip 172.16.1.0 255.255.255.0 any eq www
    ERROR

    But when apply this command, less ip, operate normally, this can present a problem running?
    access-list wccp-traffic line 2 extended permit tcp 172.16.1.0 255.255.255.0 any eq www

    Thank’s!

  2. In your diagram you have the proxy on a second interface of the ASA. Is. This accurate?

    If our inside interface is on 192.168.10.5 And clients are on various other routed internal subnets that have a default route to the ASA inside ip. Can we put our proxy on the same VLAN as the ASA inside interface, 192.168.10.6?

Leave a Reply

Text formatting is available via select HTML. <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*